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Abstract. We address the problem of conditional termination, which is that of defining 
the set of initial configurations from which a given program always terminates. First we 
define the dual set, of initial configurations from which a non-terminating execution exists, 
as the greatest fixpoint of the function that maps a set of states into its pre-image with 
respect to the transition relation. This definition allows to compute the non-termination 
precondition if either (i) the transition relation is deterministic, (ii) the descending Kleene 
sequence overapproximating the greatest fixpoint converges in finitely many steps, or (iii) 
the transition relation is well-founded. We show that this is the case for two classes of 
relations, namely octagonal and finite monoid afRne relations. Moreover, since the closed 
forms of these relations can be defined in Presburger arithmetic, we obtain the decidability 
of the termination problem for such loops. 

We show that the weakest non-termination precondition for octagonal relations can be 
computed in time polynomial in the number of variables of the relation. Furthermore, for 
every well-founded octagonal relation, we prove the existence of an effectively computable 
well-founded witness relation for which a linear ranking function exists. 

For the class of linear affine relations we show that the weakest non-termination precon- 
dition can be defined in Presburger arithmetic if the relation has the finite monoid property. 
Otherwise, for a more general subclass, called polynomially bounded affine relations, we 
give a method of under-approximating the termination preconditions. 

Finally, we apply the method of computing weakest non-termination preconditions to 
more complex transition relations, by relying on the computation of transition invariants. 
In this way we could infer non-termination preconditions of several programs. These 
preliminary experiments provided encouraging results, reported in this paper. 
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1. Introduction 

The termination problem asks whether every computation of a given program ends in a 
halting state. The universal termination asks whether a given program stops for every pos- 
sible input configuration. Both problems are among the first ever to be shown undecidable, 
by A. Turing [34j. In many cases however, programs will terminate when started in certain 
configurations, and majQ run forever, when started in other configurations. The problem 
of determining the set of configurations from which a program terminates on all paths is 
called conditional termination. 

In program analysis, the presence of non-terminating runs has been traditionally con- 
sidered faulty. However, more recently, with the advent of reactive systems [25j . accidental 
termination can be an equally serious error. For instance, when designing a web server, a 
developer would like to make sure that the main program loop will not exit unless a stopping 
request has been issued. These facts led us to considering the conditional non-termination 
problem, which is determining the set of initial configurations which guarantee that the 
program will not exit. 

In this paper we focus on programs that handle integer variables, performing Presburger 
arithmetic tests and (possibly non-deterministic) updates. A first observation is that the 
set of configurations guaranteeing non-termination is the greatest fixpoint of the pre-image 
prcR of the program's transition relatiorll R. This set, called the weakest recurrent set, 
and denoted wrs{R) in our paper, can be computed if either (i) the pre-image of the 
transition relation is continuous (this is the case, for instance, when the transition relation 
is deterministic), (ii) the descending Kleene sequence that overapproximates the greatest 
fixpoint eventually stabilizes, or (iii) the relation is well-founded and 'wrs{R) = 0. If one 
of these conditions holds and moreover, the closed form of the infinite sequence of relations 
{R^}i>o, obtained by composing the transition relation with itself 0,1,2,... times, can 
be defined using a decidable fragment of arithmetic, we obtain decidability proofs for the 
universal termination problem, for free. 

Contributions of this paper. The main novelty in this paper is of rather theoretical 
nature: we show that the non-termination preconditions for integer transition relations 
defined as either octagons or linear affine loops with finite monoid property are definable 
in quantifier-free Presburger arithmetic. Thus, the universal termination problem for such 
program loops is decidable. However, since quantifier elimination in Presburger arithmetic 
is a complex procedure, we have developed alternative ways of deriving the preconditions 
for non-termination, and in particular: 

• for octagonal relations, we use a result from [8], namely that the sequence {i?*}i>o 
is, in some sense, periodic. Based on this, we develop an algorithm that computes 
the weakest non-termination precondition of R in time polynomial in the number 
of variables of R. Moreover, we investigate the existence of linear ranking functions 
and prove that for each well-founded octagonal relation, there exists an effectively 
computable witness relation, i.e., a well-founded relation that has a linear ranking 
function. 

^If the program is non-deterministic, the existence of a single infinite run, among other finite runs, suffices 
to consider an initial configuration non-terminating. 

This definition is the dual of the reachability set, needed for checking safety properties: the reachability 
set is the least fixpoint of the post-image of the transition relation. 
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• for linear affine relations, weakest recurrent sets can be defined in Presburger arith- 
metic if we consider several restrictions concerning the transformation matrix. If 
the matrix A defining R has eigenvalues which are either zeros or roots of unity, 
all non-zero eigenvalues being of multiplicity one (these conditions are equivalent to 
the finite monoid property of [3 [18]), then wrs{R) is Presburger definable. Other- 
wise, if all non-zero eigenvalues of A are roots of unity, of multiplicities greater or 
equal to one, wrs{R) can be expressed using polynomial terms. In this case, we can 
systematically issue Presburger termination preconditions. 

Practical applications. Unfortunately, in practice, the cases in which the closed form of 
the sequence {R^}i>o is definable in a decidable fragment of arithmetic, are fairly rare. All 
relations considered so far are conjunctive, meaning that they can represent only simple 
program loops of the form while (condition) {body} where the loop body contains no 
further conditional constructs. In order to deal with more complicated program loops, 
we use the method of transition invariants [28\ to compute (sound overapproximations 
of) weakest non-termination preconditions for programs with complex transition relations. 
Concretely, we compute an over approximation of the transition invariant, which is the 
transitive closure of the transition relation, i.e. i?^, restricted to the states reachable from 
some set of initial configurations. If one can find a finite union Rf U . . . U R^ of octagonal 
relations that overapproximates the transition invariant, then wrs{Rf) U . . . U wrs{R^) is 
an overapproximation of the weakest non-termination set of R. 

This method can infer non-termination preconditions for programs without procedure 
calls. It is moreover shown to be complete for a class of programs without nested loops, 
called flat programs. On what concerns programs with (recursive) calls, one can compute 
(overapproximations of) the summaries of the procedures in the program and use these sum- 
maries to generate a program without calls that has an equivalent weakest non-termination 
precondition, following the method described in |3j. We have implemented the computa- 
tion of transition invariants and procedure summaries in the Flata tool for the analysis of 
integer programs. Several experiments on inferring (non-)termination preconditions have 
been performed, and reported. 

Roadmap. The paper is organized as follows. Section [2] introduces the notation and some 
basic concepts needed throughout the paper. Section [3] defines weakest recurrent sets as 
greatest fixpoints of the pre-image of the transition relation. Sections H] and [5] apply this 
definition to the computation of weakest recurrent sets for octagonal and linear affine rela- 
tions. Section [6] extends the computation of weakest termination preconditions from simple 
conjunctive loops to integer programs, and Section [7] reports on the implementation and 
experiments performed on several integer programs. Finally, Section [8] concludes. 



The core results presented in this paper have been reported in [9j. In addition to 
the work presented in [9], here we improve the time complexity for the computation of 
weakest non-termination preconditions for octagonal relations, and give a polynomial time 
algorithm. Moreover, we extend the results from [9] from simple conjunctive program 
loops to computing non-termination preconditions for full integer programs, and give a 
decidability result to the universal termination problem, for a class of programs without 
nested loops. 
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1.1. Related Work. The literature on program termination is vast. Most work focuses 
however on universal termination, such as the techniques for synthesizing linear ranking 
functions of Sohn and Van Gelder p2] or Podelski and Rybalchenko [27], and the more 
sophisticated method of Bradley, Manna and Sipma [12j, which synthesizes lexicographic 
polynomial ranking functions, suitable when dealing with disjunctive loops. However, not 
every terminating program (loop) has a linear (polynomial) ranking function. In this paper, 
we show that for an entire class of non-deterministic linear relations, defined using octagons, 
termination is always witnessed by a computable octagonal relation that has a linear ranking 
function. 

Another line of work considers the decidability of termination for simple (conjunctive) 
linear loops. Initially, Tiwari ^33| showed decidability of termination for affine linear loops 
interpreted over reals, while Braverman [13j refined this result by showing decidability over 
rationals and over integers, for homogeneous relations of the form Cix > A C2X > 
A x' = Ax. The non-homogeneous integer case seems to be much more difficult as 
it is closely related to the open Skolem's Problem [20]: given a linear recurrence {uj}j>o, 
determine whether Uj = for some i >0. 

To our knowledge, the first work on proving non-termination of simple loops is reported 
in [19]. The notion of recurrent sets occurs in this work, however, without the connection 
with fixpoint theory, which is introduced in the present work. Finding recurrent sets in [19] 
is complete with respect to a predefined set of templates, typically linear systems of rational 
inequalities. 

The work which is closest to ours is probably that of Cook et al. [15]. In that paper, 
the authors develop an algorithm for deriving termination preconditions by first guessing 
a ranking function candidate (typically the linear term from the loop condition) and then 
inferring a supporting assertion which guarantees that the candidate function decreases 
with each iteration. The step of finding a supporting assertion requires a fixpoint itera- 
tion in order to find an invariant condition. Unlike our work, the authors of [15] do not 
address issues related to completeness: the method is not guaranteed to find the weakest 
precondition for termination, even in cases when this set can be computed. On the other 
hand, it is applicable to a large range of programs extracted from real-life software. To 
compare our method with theirs, we tried the examples available in [15]. For those which 
are polynomially bounded affine relations, we used our under-approximation method and 
have computed termination preconditions, which turn out to be slightly more general than 
the ones reported in [15]. 

2. Preliminary Definitions 

We denote by Z, N and N+ the sets of integers, positive (including zero) and strictly 
positive integers, respectively. We denote by Zqo and Z_oo the sets ZU {cx)} and ZU {— 00}, 
respectively. In this paper we use a set of variables x = {xi,X2, ■ ■ ■ ,Xn}, for some n > 0. 
The set of primed variables is x' = {x[,X2, ■ ■ ■ ,x'^}. These variables are assumed to be 
ranging over Z. For a set S C Z of integers, we denote by min S the smallest integer s € S, 
if one exists, and by inf S the largest integer m € Z such that m < s, for all s € S. 

A linear term t over a set of variables in x is a linear combination of the form ag + 
J2?=i^i^i^ where ao,ai,...,a„ £ Z. Presburger arithmetic is the first-order logic over 
propositions t < 0. Presburger arithmetic has quantifier elimination and is decidable |29j . 
For simplicity we consider only formulas in Presburger arithmetic in this paper. 
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For a first-order logical formula let FV{ip) denote the set of its free variables. By writ- 
ing y'(x) we imply that FV{(p) C x. For a formula (/?(x), we denote by (p[ti/xi, . . . ,tn/Xn] 
the formula obtained from ip by syntactically replacing each free occurrence of Xi, . . . ,Xn 
with the terms ti, . . . ,tn, respectively. 

A valuation of x is a function : x — >■ Z. The set of all such valuations is denoted by 
Tj^. If E Z'', we denote hy ly \= ip the fact that the formula obtained from ip by replacing 
each occurrence of Xi with ^{xi) is valid. Similarly, an arithmetic formula -R(x, x') defining 
a relation RCZ'^xZ^'m evaluated with respect to two valuations ui and f 2 , by replacing 
each occurrence of Xi with i^iixi) and each occurrence of with V2{xi)- The satisfaction 
relation is denoted (2^1,2^2) |= R- By ^ 99 we denote the fact that 99 is valid i.e., logically 
equivalent to true. We say that an arithmetic formula <^(x) is consistent if there exists 
a valuation u such that v \= ip. We use the symbols =^,<^=J> to denote logical implication 
and equivalence, respectively. The consistency of a formula ip is usually denoted by writing 
^ false. In the following, we will sometimes abuse the notation and use the same symbols 
for relations (sets) and their defining formulae. 

The composition of two relations i?i,i?2 ^ Z^ x is defined as Ri o R2 = {v^v') G 
Z^ X I ^u" G Z^ . {u, u") £ Ri A {u", v') G R2}. For any relation R C Z^, we consider 
R^ to be the identity relation X = {{u, u) \ u G Z^} and define = R^ o R, for all i > 0. 
R^ is called the i-th power of R in the sequel. With these notations, R'^ = Ui^i -R' denotes 
the transitive closure of R, and R* = R~^ U X denotes the reflexive and transitive closure 
of R. The inverse of R is defined as R~^ = {{v^u) \ {u, v') G R). The inverse powers of a 
relation R are defined inductively = o R~^ for each i>\. The post-image of a 

set S C Z'^ via a relation i? C Z^ x Z^ is defined as R{S) = {v' el?" \ e S . {v, u') G R}. 
The pre-image of S via R is defined as R~^{S). A relation i? C Z'^ x Z'' is said to be 
deterministic if and only if [v, v') G R and {u, u") G R implies u' = v", for all v, v', v" G 7,^. 

A function F : 2^"" — >■ 2^"" is said to be monotonic if and only ii X CY implies F{X) C 
for any two sets X,Y C Z^, and D-continuous if and only if F(n~iXi) = n,^iF(Xi), 
for any infinite sequence {Xi C Z^}^]^. The greatest fixpoint F is the largest set X such 
that = X, and is denoted gfp F. The function that maps each set X C. Z^ into 

its pre-image R''^{X) is denoted by pre^ in the following. It is easy to show that pre^ is 
monotonic, and that pre^ = pre^m , for all m > 0. 

3. Weakest Preconditions for Non-termination 

This section is concerned with the definition of weakest preconditions for non-termination, 
and the characterization of such preconditions as greatest fixpoints of the pre-image func- 
tion. We also give certain conditions under which these fixpoints are computable as limits 
of descending Klccnc sequences, and finally, define them using first-order integer arithmetic. 

Let x = {xi, . . . , Xn} be a set of variables interpreted over Z. We start by defining the 
notions of ^-consistent and well-founded relations. 

Definition 1. A relation i? C Z^ x Z'^ is said to be *- consistent if and only if, for any 
m > 0, there exists a sequence of valuations {mj g Z^}™q, such that G R, for all 

i = 0, . . . , m — 1. i? is said to be well-founded if and only if there is no infinite sequence of 
valuations {i^i G Z^}j>o, such that (fj, J^j+i) G R, for all i >0. 

Notice that if a relation is not *-consistent, then it is also well-founded. However the 
dual is not true. For instance, the relation R = {{n,n — l) | n > 0} is both *-consistent and 
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well-founded. Also notice that a relation R is *-consistent if and only if i2* is consistent for 
all i > 0. 

Definition 2. A set 5 C Z'' is said to be a non-termination precondition for a relation 
R Q 7^^ X 7^^ if and only if, for each u & S there exists an infinite sequence of valuations 
{fj G 7j^}i>Q such that v = t'o(x) and (z^j, fj+i) € -R, for all i >0. 

If Sols'!,... are all non-termination preconditions for R, then the (possibly infinite) 
union lji=0,i,... is a non-termination precondition for R as well. The set wnt(i?) = [j{S € 

I 5" is a non-termination precondition for R} is called the weakest non-termination pre- 
condition for R. A relation R is well-founded if and only if wnt(i?) = 0. A set S such that 
S n wnt(i?) = is called a termination precondition. 

Definition 3. A set S" C is said to be recurrent for a relation i? € Z'' x Z^ if and only 
if 5 C pr:eji{S). 

Notice that if 5 is a recurrent set for a relation R, then for each ly G S there exists i^' G S 
such that {lyji^') G R. 

Proposition 1. Let 5*0, 5"!, ... € Z^ be a (possibly infinite) sequence of sets, all of which 
are recurrent for a relation i? G Z^ x Z''. Then their union lJj=o i ... 'S'i is recurrent for R as 
well. 

Proof. For each i we have Si C pre^(5j) C pre^(lJj=o,i,... Sj). The last inclusion is by the 
monotonicity of pre^. Hence lJi=o,i,... Sj C pre^(lJj=o,i,... ^j)- D 

The set wrs(i?) = 1J{S' G Z'' | S* is a recurrent set for R} is called the weakest recurrent set 
for R. By Proposition [H wrs(i?) is recurrent for R. The following lemma shows that in 
fact, this is exactly the set of valuations from which an infinite iteration is also possible. 

Lemma 1. Given a relation i? G Z^ x Z^, the weakest recurrent set for R equals its weakest 
non-termination precondition. 

Proof. "wrs(i?) C wnt(i?)" Let i^q G wrs(i?) be a valuation. Then there exists i^i G wrs(i?) 
such that (fo, z^i) G i?. Applying this argument infinitely many times, one can construct an 
infinite sequence iyQ,iyi,i'2, ■ ■ ■ such that (j^i,fj+i) G R, for all i > 0. Hence vq G wnt(i?). 
"wnt(i?) C wrs(i?)" Let i^q G wnt(i?) be a valuation and let z^Oi i^i, ^^2, • • • be arbitrary infinite 
sequence such that (z/i,fj_|_i) G -R, for all i > 0. Clearly, i^i G wnt(i?) too. Consequently, 
z/Q G pTe^{wnt{R)) for each state i/q £ wnt(i?) and hence, wnt(i?) C pre^(wnt(-R)). Thus, 
wnt(i?) is a recurrent set and hence wnt(i?) C wrs(i?). □ 

Next we define the weakest recurrent set as the greatest fixpoint of the transition 
relation's pre-image. 

Lemma 2. Given a relation i? G Z^ x Z^, the weakest recurrent set for R is the greatest 
fixpoint of the function pre^. 

Proof. By the Knaster-Tarski Fixpoint Theorem, gfp pre^ = U{5' [ S C pre^(5')} = 
wrs(i?). □ 
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The following lemma gives sufficient conditions under which wrs(i?) can be computed 
as the limit of the descending Kleene sequence: ^ preR{Zi^) 5 pre\{'L'^) ^ . . .. 

Lemma 3. Let i? € x be a relation such that either: 

(1) pre^^ is n-continuous, or 

(2) pre^^(Z'') = pre^^(Z'') for some n2 > rii > 0, or 

(3) n,n>oPre5?(Z-)=0. 
Then, wrs(i?) = n™>o pre^(Z")- 

Proof. If (1) holds, one can apply the Kleene Fixpoint Theorem and conclude that wrs(i?) = 
gfp(pre^) = f]m>o pre^(Z''). If (2) holds, by the monotonicity ofpreR, we have pre^^(Z'') = 
pre^i+^(Z'') = .7. = pre^2(Z'^). Hence, pre^i(Z^) = pre^(Z^), for ah n > rii, is a fixpoint 
of preR, and since gfp pren = wrs{R) = wnt{R) C f]m>oP'''ejl{'Z^), it must be that 
gfp prcR = r\m>oP''^^Ri'^^)- If (3) holds, observe that wnt(i?) C pre^(Z'') for each m > 0. 
Consequently, 

wTsiR) = wnt(i?) C n™>oPreS(Z") = 
Hence, wrs(i?) = f]m>o prej^(Z'') = and the lemma holds. □ 

In the next section, we show that Lemma [3] is applicable, for different reasons, to both 
octagonal and finite-monoid affine relations: octagonal relations are either well-founded 
(3), or their descending Kleene sequences stabilize (2), and linear affine relations are fl- 
continuous (1). Thus one can compute the weakest non-termination precondition for these 
classes as the limit of a descending Kleene sequence. 

Next, we show that, for relations satisfying one of the conditions of Lemma [3l one can 
also define the weakest non-termination precondition in first order arithmetic. 

Definition 4. Let € Z^ x Z^ be a relation. The closed form of R is a formula R{k, x, x') 
such that, for all n > and all v, v' ^17~: 

V, v' \= R{n, x, x') ^ (i/, ly') G i?" 

Notice that the closed form of a relation is unique, up to logical equivalence. Using the 
closed form R{x,x',k) of R, one can now define wrs(i?), if R meets one of the conditions 
of Lemma [3) 

wis{R) =yk>0.3x. R{k, x, x') (3.1) 

One of the results of [8] is that the closed forms of octagonal and finite monoid affine 
relations are Presburger definable. Under the assumption (still to be proved) that these 
relations meet the requirements of Lemma [3l their weakest non-termination preconditions 
can be defined in Presburger arithmetic. Since Presburger arithmetic is decidable, the 
termination problems for octagonal and finite-monoid affine relations are decidable as well. 

Example 1. Consider an octagonal relation R{x,x') = x>OAx' = x — 1. The closed 
form of R is R{k,x,x.') = x>k — lAx' = x — k. Quantifier elimination yields wrs(-R) = 
Vfc > 3x' . X > k — 1 A x' = X — k = yk > . x > k — 1 = false. Hence the relation R is 
well-founded. □ 



8 



MARIUS BOZGA, RADU lOSIF, AND FILIP KONECNY 



4. Octagonal Relations 



Octagonal constraints (also known as Unit Two Variables Per Inequality or UTVPI, for 
short) appear in the context of abstract interpretation where they have been extensively 
studied as an abstract domain [26|. They are defined syntactically as a conjunctions of 
atomic propositions of the form zizx it y < c, where x and y are variables and c is an integer 
constant. They are a generalization of the simpler notion of difference bounds constraints. 
Since most results on octagons rely on notions related to difference bounds constraints, we 
introduce the latter, for reasons of self-containment. 

4.1. Difference Bounds Relations. Difference bounds constraints are known as zones in 
the context of timed automata verification [2] and abstract interpretation [26]. They are 
defined syntactically as conjunctions of atomic propositions of the form x — y < c, where 
X and y are variables and c is an integer constant. Difference bounds constraints can be 
represented as matrices and graphs. These matrices (graphs) have a canonical form, which 
is used for efficient inclusion checks, and can be computed by the classical Floyd- Warshall 
algorithm. 

Difference bounds relations are relations defined by difference bounds constraints over 
primed and unprimed variables (e.g. x — x' < 0). Difference bounds relations have been 
studied by Comon and Jurski who showed, in [14j, that their transitive closure is Presburger 
definable. Their proof was subsequently simplified in ^ITj, using the notion of zigzag au- 
tomata. Intuitively, a zigzag automaton corresponding to a difference bounds relation R is 
a finite weighted graph that encodes the constraints of R"^ as minimal weight paths of length 
m. In |8j, we showed that zigzag automata can be also used in proving periodicity of differ- 
ence bounds relations, which allows to compute the closed form i?(fc,x, x') efficiently. As 
we will show in this section, zigzag automata also play a crucial role in designing a PTIME 
algorithm computing the weakest termination sets, and in proving the existence of linear 
ranking functions for octagonal relations. 

Definition 5. A formula (/>(x) is a difference bounds constraint if it is equivalent to a finite 
conjunction of atomic propositions of the form Xi — Xj < Oij, 1 < i,j < N,i ^ j, where 
Ojj G Z. 

For instance, x — y = 5 is a difference bounds constraint, as it is equivalent to x — y < 
5 A y — X < —5. In practice, difference bounds constraints are represented either as 
matrices or as graphs: 

Definition 6. Let x = {xi, X2, xtv} be a set of variables ranging over Z and 0(x) be 
a difference bounds constraint. Then a difference bounds matrix (DBM) representing cj) is 
an X matrix such that: 



Definition 7. Let x = {xi,X2, ■■■,xn} be a set of variables ranging over Z and 0(x) be 
a difference bounds constraint. Then cp can be represented as a weighted graph Q^p = (x, -^), 



only if there exists a constraint Xi — Xj < aij in <j). This graph is also called a constraint 
graph. 




Oij if [xi - Xj < ttij) G AP{(j)) 
oo otherwise 



where each vertex corresponds to a variable, and there is an edge Xi 




Xj in Qtj, if and 
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Clearly, is the incidence matrix of t/^. If M € Zqo^ is a DBM, the corresponding 
difference bounds constraint is defined as f\Mi ■<oo — xj < Mij. The restriction of 

a DBM Mfj, to variables z C x, denoted as (M^)^^, is a matrix obtained by erasing the rows 
and columns of M^. For two difference bounds matrices Mi,M2, we write Mi = M2 if and 
only if (Mi)jj = {M2)ij for all I < i,j < N and Mi < M2 if and only if {Mi)ij < {M2)ij 
for all 1 < i,j < iV. 

A DBM M is said to be consistent if and only if its corresponding constraint (pM is 
consistent. The next definition gives a canonical form for consistent DBMs. 

Definition 8. A consistent DBM M € Z^^^ is said to be dosed if and only if Ma = 

and Mij < Mik + M^j, for ah l<i,j,k < N. 

Given a consistent DBM M E xZ^, we denote the closed DBM by M* . It is well- 
known that, if M is consistent, then M* is unique. The closed form is needed to check the 
equivalence and entailment of two difference bounds constraints. 

Proposition 2 ([26]). Let 0i and (j)2 be consistent difference bounds constraints. Then, 

• (/.I 4^ 02 if and only if M^^ = M^^, 

• (Ai ^ 02 if and only if M^^ < M*^. 

Remark. The closed form of a consistent DBM M G Z X can be computed in 0{N'^) 
iterations, by the classical Floyd- Warshall algorithm [16j . Let denote the maximal abso- 
lute value among the entries of M . Since each iteration uses constantly many additions and 
comparisons, each of which involves absolute values at most N ■ ji, the time complexity of 
the closure computation is at most 0{N^ ■ log(A'^ • ji)). If M is inconsistent, then this can be 
detected, by a slightly improved version of Floyd- Warshall, with the same worst case time 
complexity. □ 

A relation i? G Z^ x Z^ is a difference hounds relation if it can be defined by a difference 
bounds constraint i?(x, x'). It is well-known that the class of difference bounds relations is 
closed under relational composition [26j . 

Example 2. Let X2, x'^, X2) xi—x'i < lAxi — x'2 < —IAX2 — X1 < — 2 Ax2 — X2 < 2 

be a difference bounds relation. Figure [la] shows the graph representation and Figure 
[lb] the closed DBM representation of R. □ 
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Given a difference bounds relation i?(x, x'), we define the m-times concatenation of Qr 
with itself. 

Definition 9. Let i?(x, x'), x = {xi, . . . ,X]\f}, be a difference bounds relation and Qr be 
its constraint graph. The m-times unfolding of Qr is defined as 

N 
k=0 

where x^*^) = {xf ^ | < i < iV} and for all < A; < TV, 

• {xf^^ A- x^'^^) if and only if (xj — xj < c) S AP{(j)) 

• (xf'^ A xf^^^) if and only if (xj - x'j < c) £ AP{(/)) 

• (xf 4 xf^) if and only if (x^ - xj < c) € ^P(0) 

• (xf A xj-'^^^^) if and only if (x^ - x'j < c) S ^P(0) 

Each constraint in i?"* corresponds to a path between extremal points in Qj^. Notice 
that, since difference bounds relations are closed under composition, then R"^ is a difference 
bounds relation, for any m > 0. Then we have: 

<^ Ai<i,j<N Xi - Xj < min{x-' -> x°} Ax-- x'j < min{x™ -> x™} A 
Xi — x'j < min{x^ — > x™} A x^ — Xj < min{x™ — > x^} 

where min{xf x'j} is the minimal weight between all paths among the extremal vertices 
xf and x'j in Q^, for p,q £ {0, m}. 

Example 3. Figure [Tel depicts the m-times unfolding of Qr for the relation R <^ xi — x'l < 
1 A xi - X2 < -1 A X2 - x'l < -2 A X2 - X2 < 2. □ 

The set of paths between any two extremal points in Q'^ can be seen as words over the 
finite alphabet of subgraphs of that are accepted by a finite weighted automaton called 
zigzag automaton [H]. In the following section, we give the definition of these automata. 

4.2. Zigzag Automata. This section defines zigzag automata, which can seen as recogniz- 
ers of powers of difference bounds relations. Intuitively, a zigzag automaton corresponding 
to a difference bounds relation i? is a finite weighted automaton that encodes m-th power 
of R by minimal runs of length m + 2. 

4.2.1. Alphabet and Words. Without losing generality, in the following we work with a sim- 
plified (yet equivalent) form of difference bounds relations: all constraints of the form 
x — y<a are replaced byx — t'<a A t' — y <0, and all constraints of the form x' — y' < a 
are replaced hy x' — t < a A t — y' < 0, hy introducing fresh variables t x. In other 
words, we can assume that the constraint graph Qr corresponding to R is bipartite, i.e. it 
does only contain edges from x to x' and vice versa. 

A path TT in between, say, x'^ and y™, with x,y € x is represented by a word 
w = wi . . . Wm of length m, as follows: the Wi symbol represents simultaneously all edges of 
TT that involve only nodes from x*~^ Ux*, 1 < i < m. Since we assumed that is bipartite, 
it is easy to see that, for a path from x'^ to y™, coded by a word w, the number of times 
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1 2 n m — n m — 2m — 1 




(b) 

Figure 2. Runs of Even and Odd Automata 



the Wi symbol is traversed by the path is odd, whereas for a path from x to y , or from 
to y™, this number is even. Hence the names of even and odd automata. 
Given a difference bounds relation R, the even alphabet of R, denoted the set 

of all graphs satisfying the following conditions, for each G G S^: 

(1) the set of nodes of G is x U x' 

(2) for any x,y E x U x', there is an edge labeled with a E Z from x to y, only if the 
constraint x — y < a occurs in <j) 

(3) the in-degree and out-degree of each node are at most one 

(4) the number of edges from x to x' equals the number of edges from x' to x 
Notice that the number of edges in all symbols of is even. 

The odd alphabet of R, denoted by E^, is defined in the same way, with the exception 
of the last condition, which becomes: 

4. the difference between the number of edges from x to x' and the number of edges 
from x' to X is either 1 or —1 
Notice that the number of edges in all symbols of is odd. 

Let Tiji = U Sjj U {e} be the alphabet of the zigzag automaton for R, where e is 
a special symbol of weight 0. The weight of any symbol G G S|j U S^, denoted oj{G), is the 
sum of the weights that occur on its edges. For a word w = wiW2 ■ ■ -Wn G SJj, we define 
its weight as ui^w) = J2?=i ^i'^i)- 

4.2.2. Construction of Zigzag Automata. We are now ready for the definition of automata 
recognizing words that represent encodings of paths from G^. The even automaton rec- 
ognizes paths that start and end on the same side of i.e., either paths from to 
or from to x™, for some 1 < i,j < N , respectively. We call the automata recognizing 
paths from x^ to x^ forward even automata, and the ones recognizing paths from x™ to 
X™ backward even automata (Figure [2] (a)). The odd automata recognize paths from one 
side of to another. The automata recognizing paths from x^ to x^ are called forward 
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odd automata, whereas the ones recognizing paths from x-" to are cahed backward odd 
automata (Figure [2] (b)). 

The even and odd automata share the same alphabet and transition table, while the 
differences are in the sets of initial and final states. The common transition table is defined 
as Tr = {Q, A, w), where Q is the set of control states defined as: 

Q = U Ui<i,,<7v(Q-/ U Qfj' U g°/ U gf}) where 

Qg = {l,r,lr,rl,±}^ 

The {l,r,lr,rl, 1.} components of states in Qg capture the direction of incoming and out- 
going edges (/ for a path traversing from right to left, r for a path traversing from left 
to right, Ir for a right incoming and right outgoing path, rl for a left incoming and left 
outgoing path, and _L when there are no incoming nor outgoing edges from that node.). 
Given I < i,j < N, the sets Q'^j,Q'lj,Q°j,Q'-j contain the initial and the final state in 
even forward (e/), even backward (eb), odd forward (of), and odd backward (ob) zigzag 
automaton corresponding to respectively. The four automata recognize paths from xf''' 
to Xj^^ i^f), from xf'^ to x^^^ (e6), from xf'^ to x^™''' (of), and from x-™^ to x^^ (ob) in Q^, 
respectively. 

The set of transitions A is defined as: 

A = A,UA, U (A^/uAfj'uA°/uA°j') 

l<i,j<N 

There is a transition 

{qi...qN) {q'i,---,q'N) 
in Ag if and only if the following conditions hold, for all 1 < i < A^: 

• Qi = I iS G has one edge whose destination is Xj, and no other edge involving Xj. 

• q'^ = I iS G has one edge whose source is x^, and no other edge involving x[. 

• Qi = r iS G has one edge whose source is Xj, and no other edge involving Xj. 

• q'^ = r iS G has one edge whose destination is x-, and no other edge involving x-. 

• qi = Ir iS G has exactly two edges involving Xj, one having Xj as source, and another 
as destination. 

• q[ = rl iS G has exactly two edges involving x^, one having x^ as source, and another 
as destination. 

• Qi £ {^''j -L} iff G has no edge involving x[. 

• qi & {rl, _L} iff G has no edge involving x,. 

Some even paths in Q"^ may be of length strictly less than m. Since we want to recognize 
these path by runs of length m+2, we need several zero weight self- loop transitions: 

Finally, we define for each q < i,j < N and each of the four zigzag automata (e/, eb, of, ob), 
the set of transitions that are incident with an initial or a final control state of the respective 



DECIDING CONDITIONAL TERMINATION 



13 



automaton: 

re/ f 



A 



ef ^ J 

V 1 / -1 



m ^q\qi = r, qj =l,qhe {lr,±}, l<h<N,h^ {i,j}} if i / j 




Utj ^q\qi = qj= Ir, qt G {Ir, ±}, 1 < h < N , h i} ii i = j 

y {g i?e/ I ^ g {W, ±}^} 

= I, qj =r,qh£ {Ir, ±},l<h<N,h^ {i,j}} if i ^ j 
= qj = Ir, qh G {Ir, ±}, 1 < h < N, h ^ i} if « = j 

U W ^q\q€{rl,±}''} 

Kj = {if ^q\q^ = r and q^ £ {Ir, ±}, 1 < h < N, h ^ i} 

[j{q^ Ff \qj=r and qn E {W,±}, l<h<N,h^j} 

Af| = {If ^q\qi = l and g,, G {/r, ±}, 1 < /i < iV, /i / f} 

U {g A \qj=l and g,, G {r/, l.},l<h<N,h^ j) 

The weight function w maps each transition q q' G A, q,q' £ Q,a €z S/j to w{a). 
Finahy, for each 1 < i, j < N , we define four zigzag automata 

A^j = {Q,A,w,l!f.,F^f) A°j = {Q,A,w,lf,Ff) 

Af^ = {Q,A,w,P\f^^ Afj = {Q,A,w,lf,Ff) 

Notice that these automata share the same states and transitions, and the number of states 
is at most 5^ + 2N'^ + AN + 2, where is the number of variables in x. 

In the foUowing, we wih sometimes shorthand paths in the zigzag automata of the 

„ a\ a2 an ai...a„ „. , j 

form qi — > qi — > ... — > qn+i as qi > qn+i- (jiven words wi,W2,W3 and paths 

T^i = ^1 — > q2, = q2 — > qs, tts = qs — > ^4) we write vr = 7r1.7r2.7r3 to denote the 
concatenated path qi — q2 qs (74. We sometimes abuse the notation shghtly and 
write TT as e.g. qi — > q2 — > qs — > qi- 



4.2.3. Language of Zigzag Automata. Recah that Q'j^ denotes the constraint graph corre- 
sponding to i?"*, obtained by concatenating the constraint graph of R to itself m > times. 
We say that a path in Q'^ stretches between k and I, for some A; < /, if the path contains at 
least one node from x*, for each k < i < I and contains no node from x*, for each i such that 
i < k or i > I. Intuitively, all paths from to in Q^l are recognized by the automaton 

A^j , paths from xf^ to by Afj (Figure [2] (a)), paths from to by A°j, and paths 
from X™ to x^ by A"j (Figure [2] (b)). The following lemma makes the relationship between 
between paths in and runs in zigzag automata of length m + 2 precise. 

Lemma 4 Suppose that does not have cycles of negative weight, for some m > 0. 

Then, for any l<i,j<N,i^ j, the following hold: 
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(1) A^j has an accepting run of length m + 2 if and only if there exists a path in Q'^, 
from x-* to x^, that stretches between and n, for some < n < m. Moreover, 
the minimal weight among all paths from to x^ in Q^, stretching from to n, 

for some < n < m, equals the minimal weight among all accepting runs of A'^j of 
length m + 2. 

(2) Afj has an accepting run of length m + 2 if and only if there exists a path in 
from to X™, that stretches between n and m, for some < n < m. Moreover, 
the minimal weight among all paths from to xj^ in Q"^, stretching from n to m, 
for some < n < m, equals the minimal weight among all accepting runs of Afj, of 
length m + 2. 

(3) A°j has an accepting run of length m + 2 if and only if there exists a path in 
from to xj^. Moreover, the minimal weight among all paths from x^ to x™ in 
equals the minimal weight among all accepting runs of length m + 2. 

(4) A°j has an accepting run of length m + 2 if and only if there exists a path in 
from X™ to x^. Moreover, the minimal weight among all paths from x™ to x^ in 
equals the minimal weight among all accepting runs of length m + 2. 

Proof. See [II], Lemmas 4.3, 4.4, 4.6 and 4.7. □ 

Example 4. Let us show the construction of the zigzag automaton for the relation R <^ 
2^1 — 2;'^ < 1 A xi — X2 < — 1 A X2 — x'l < —2 Ax2 — x'2 < 2. Figures [2l^a) and (b) depict Qr 
and M^. Notice that there are only forward odd paths, i.e. paths from xq to x^ in 
for any m > 1. The transition table Tr = {Q,A,w) of the zigzag automaton is depicted in 
Figure [3] (isolated states, such as (r, have been removed). For instance, the automaton 
j4|^ = {Tr, 1°'^ , F°f) recognizes a run of length m+2 with weight w if and only if there is 
a path from xq to x™ in of length m and with weight w. There are four such paths in 
Qj^ and the Figure H] shows the corresponding runs of the zigzag automaton. The second 
and the third runs have minimal weight. □ 




Figure 3. Zigzag automaton 
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Figure 4. Runs 



4.3. Octagonal Constraints. Octagonal constraints are a generalization of difference 
bounds constraints to conjunctions of atomic propositions of the form zbx =b y < c, c < Z. 
An octagonal constraint (j){xi, . . . ,xn) is usually represented by a difference bounds con- 
straints (/>(yi, . . . ,y2Af) where ?/2i-i stands for +Xi and y2i stands for —Xi, with the implicit 
requirement that y2j-i = —y2i, for each 1 < i < A^. With this convention, ^ provides an 
algorithm for computing the canonical form of an octagon by first computing the canoni- 
cal form of the corresponding difference bounds constraint and subsequently tightening the 
difference bounds constraints Ui — yj < c. 

The problem of computing the closed forms of octagonal relations was studied first in 
[7] where it was shown that the closed forms of octagonal relations are Presburger definable. 
The core result of is that the canonical form of the m-th power of an octagonal relation 
R can be computed directly from the m-th power of a difference bounds relation that 
represents R. For self-containment reasons, we present these results in Section [4.4[ 

Let X = {xi, X2, xn} be a set of variables ranging over Z. The class of integer 
octagonal constraints is defined as follows: 

Definition 10. A formula (p{x) is an octagonal constraint if it is equivalent to a finite 
conjunction of terms of the form Xi — xj < Oij, Xi + Xj < bij or —Xi — xj < Cij where 
aij,bij,Cij G Z, for all I < i,j < N. 

We represent octagons as difference bounds constraints over the dual set of variables y = 
{2/1)2/21 • • • >2/2Af}i with the convention that y2i-i stands for Xi and y2i for —Xi, respectively. 
For example, the octagonal constraint xi+X2 = 3 is represented as 2/1—2/4 < 3Ay2 — 2/3 ^ —3. 
In order to handle the y variables in the following, we define i = i — 1, if i is even, and 
I = i + 1 if i is odd. Obviously, we have t = i, for alH G Z, i > 0. We denote by i;^(y) the 
difference bounds constraint over y that represents (/)(x) and which is defined as follows: 

Definition 11. Given an octagonal constraint (/>(x), x = {xi, . . . , xn}, its difference bounds 
representation i;^(y), y = {yi, ■ ■ ■ ,2/2Af} is a conjunction of the following difference bounds 
constraints where 1 < i ^ j < A, c G Z. 

(xj - Xj < c) G AP{(j)) <4> {y2i-i - 2/2i-i < c), {y2j - 2/2i < c) G AP{(j)) 

{-Xi + Xj < c) e AP{(I)) 44> (2/2j-i - 2/2j-i < c), (y2i - 2/2j < c) G ylP(0) 

{-Xi - Xj < c) e AP{(j)) 44> (2/2i - 2/2j-i < c), (y2i - 2/2j-i < c) G 

{xi + Xj < c) e AP{(j)) <^ {y2i-i-y2j<c),{y2j-i-y2i<c)eAP{(t)) 

{2x, < c) G AP{4)) ^ {y2^-l - y2i < c) G AP{^) 

{-2xi < c) G AP{(I)) ^ {y2^ - 2/2i-i < c) G ^P(</') 



16 



MARIUS BOZGA, RADU lOSIF, AND FILIP KONECNY 



Given an octagonal constraint i?^(x) and its difference bounds representation 4>{y), we 
define 15^ (x) as 

^(x) 4^ {3y2,y4,---,y2N • 0a /\ y2i-i = -y2i)[xi/y2i-i]f=i (4.1) 

i=l 

Clearly, it follows that 

(/)(x) 44> (/>(x) ^ (3^2, y4,---,y2N • ^ A /\ y2i-i = -y2i)[a^i/y2i-i]ili (4.2) 

1=1 

An octagonal constraint (p is equivalently represented by the DBM M-^ E Z^^^^, 
corresponding to i?i>. We sometimes write instead of M-^. We say that a DBM M G 
j2Nx2N -g co/iereni iff Mj^ = i\% for ah 1 < i, j < 2iV. This property is needed since e.g. an 
atomic proposition Xi — Xj < aij, 1 < i, j < N , can be represented as both y2i-i — y2j-i < Oij 
and y2j — y2i < Oij. Dually, a coherent DBM M € Z^^^^ corresponds to the octagonal 
constraint: 

^^A/ /\ (Xi - < M2i_l,2i-1 AXj + < M2i_l,2j A -Xj - < M2j,2i-l) (4.3) 

l<i,j<N 

A coherent DBM M is said to be octagonal-consistent if and only if 17 a/ is consistent. 

Definition 12. An octagonal-consistent coherent DBM M G Z^^^^ is said to be tightly 
closed if and only if the following hold, for all 1 < i,j,k < 2N: 

1. Ma = 3. Mij < Mik + Mkj 

2. Mi, is even 4. Mij < [M^J + [^J 

Given an octagonal-consistent coherent DBM M G I?^ x , we denote the (unique) 
tightly closed DBM by M* . The following theorem from [4] provides an effective way of 
testing octagonal-consistency and computing the tight closure of a coherent DBM. Moreover, 
it shows that the tight closure of a given DBM is unique and can also be computed with 
the same worst-case time complexity as the DBM closure. 

72Nx2N 



Theorem 1. ([4j) Let M G Z^^^^^ be a coherent DBM. Then M is octagonal-consistent 

Ml , , , M* 
2 J L 2 



if and only if M is consistent and [^J + L~^J ^ Oi for all 1 < i < 2N. Moreover, if M is 



octagonal-consistent, the tight closure of M is the DBM M* G Z^^^^ defined as: 

Mi 



M^. =min M*., 



+ 



for all l<i,j <2N where M* G Z^^^^^^ is the closure of M. 

The tight closure of DBMs is needed for checking equivalence and entailment between octag- 
onal constraints. Two octagonal constraints are equivalent if and only if their tight DBMs 
are equal. Moreover, octagonal constraints are closed under existential quantification. 

Proposition 3. (Theorem 2 in [7J) Let 0(x), x = {xi, . . . ,xi\i}, be an octagonal-consistent 
octagonal constraint. Further, let 1 < A; < 2A^ and M' be the restriction of Mi- to y \ 

{y2k-iiy2k}- Then, M' is tightly closed, and Q{M') 3xjt.0(x). 
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Figure 5. Graph and matrix representation of a relation. 



4.4. The Powers of Octagonal Relations. A relation i? C x over a set of variables 
is an octagonal relation if if it can be defined by an octagonal constraint i?(x, x'). 

Example 5. Consider the octagonal relation R{xi, X2, x'l, X2) ^ xi -\- X2 < 5 A x[ — xi < 
— 2Ax2 — X2 < —3Ax2 — x'l < 1. Its difference bounds representation is -R(y,y') <^=^ Ui — Vi < 
5 A ys - 2/2 < 5 A y'l - yi < -2 A ya - 2/2 < -2 A - < -3 A y4 - 2/4 < -3 A 2/3 - < 
1 A — 2/4 < 1) where y = {yi, . . . , 2/4}- Figure [5^ shows the graph representation Qr. Note 
that the implicit constraint y'^ — < 1 (represented by a dashed edge in Figure [5^) is not 
tight. The tightening step replaces the bound 1 (crossed in Figure [5^) with 0. Figure [5)3 
shows the tightly closed DBM representation of R, denoted Mj^. □ 

A consequence of Proposition [3] is that octagonal relations are closed under relational 
composition [^. We need here the main result of [7] which establishes the following relation 
between M-^^ (the tightly closed octagonal DBM corresponding to the m-th iteration of R) 
and (the closed DBM corresponding to the m-th iteration of the difference bounds 

relation R), for all m > 0: 

Theorem 2. (|7j) Let i?(x, x'), x = {xi, . . . ,xn}, be a *-consistent octagonal relation. 
Then, = Mj^m for all m > 0. Consequently, 

for all I <i,j < AN. 

The statement of Theorem [2] is in fact a generalization of the tight closure definition 
from Theorem [H from m = 1 to any m > 0. 

Corollary 1. Let -R(x, x'), x = {xi, . . . , xat} be a *-consistent octagonal relation and 
i?(y,y') its difference bounds representation. Then, for all m > and 1 < i < A^: 

• R"" ^R"" _____ 

• 3xi . R"^ 3y 2»-ijfej R "^ 
. 3x',.R"^^3y'2,_i,y'2,.R'^ 

Proof. The fact that R"^ R^ for all m > follows immediately from Theorem [21 since 
the computation of and of M^-m infers constraints that are logical consequences of 

R R 

R . For the second statement, note that (-^■^'")4.yuy'\{j/2i-i,y2i} computed as a function 



+ 



ti 
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of (-^^^'")4.yuy'\{?;2i-i,y2i} Theorem [2] and variables y2i-i,y2i can be thus ehminated before 
the tightening step. The argument for the third statement is analogical. □ 

4.5. Computing Weakest Non-termination Sets in Polynomial Time. We first in- 
troduce a result from [8j that defines the "shape" of the closed form i?(A;,x, x') for an 
octagonal relation R. Intuitively, for each i >0, is an octagon, whose bounds evolve in a 
periodic way. The following definition gives the precise meaning of periodicity for relations 
that have a matrix representation. 

Definition 13. An infinite sequence of matrices {M^j^-^ G Z™^™ is said to be periodic if 
and only if: 

36 > 3c> 3Ao, Ai, . . . , A^-i G Z™^'" . Mb+(fc+i),+i = A,, + Mb+kc+i 

for all A: > and i = 0, 1, . . . , c — 1. The smallest b, c for which the above holds are called 
prefix and period of the {Mk}^^i sequence, respectively. 

A result reported in [8] is that the sequence {Mj—}i>Q of tightly closed matrices repre- 
senting the sequence {-R*}i>o of powers of a *-consistent octagonal relation R is periodic, 
in the sense of the above definition. The constants b and c from Definition [13] will also be 
called the prefix and period of the octagonal relation R, throughout this section. 

In the subsequent developments, we rely on the following lemma (see for the proof) 
that states a property of the rate Aq of an octagonal relation. 

Lemma 5. Let i? be a *-consistent octagonal relation with prefix b, period c, and rates 
Ao, . . . , Ac_i. Then, the DBM n ■ Aq + is tightly closed for all n > 0. 

For a set v of variables, let ?7(v) = {=bt;i ± f 2 \ vi,V2 ^ ^} denote the set of octagonal 
terms over v. As a first remark, by the periodicity of the sequence {M^}j>o, the closed 

form of the subsequence {R^'^'^^} e.>Q (of {i?*}i>o) can be defined as: 

Rh^c{i, X, x') = A ^ ^ ""^ + ^« (4-4) 
MeC/(xUx') 

where = (Ao)jj, du = (M^)jj for all octagonal terms u = yi — yj. This is indeed the 
case, since the matrix sequence { M^^^^^ }^>o is periodic i.e., M^j-^ = + Mq, for all 

Lemma 6. Let R Q x he a, *-consistent octagonal relation with prefix b, period c 
and let i?b^c(^; x, x') be the closed form of {R^'^'^^}e>o as defined in (j4.4p . Then, wrs(i?) = 
C\k>o {^^) ■ Moreover, wrs(i?) = if there exists nG[/(x) such that au<0. Otherwise, 
wrs{R) = R-\Z''). 

Proof. Notice that the function pre^ is monotonic and thus, R^^^{1?^) 2 R'^^CZ^), for 
ki < k2. Consequently we have that f]k>o R''' C^"") = r\£>o R'^^^^'^H^'')- The latter set 
can now be defined using the closed form of the subsequence (j4.4p i.e., 

fl R-^Z"") = > 3x' . RbA^,x,x') 

k>0 

By Lemma O the DBM n • Aq + is tightly closed for all n > 0. Thus, the DBM 
encoding of Rb^i, x, x') [n/i] is tightly closed for all n > 0. By Proposition [3l it follows that 
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the existential quantifier 3x' can be eliminated by simply deleting all atomic propositions 
involving primed variables from ()4.4p . Thus, we obtain: 

= AueU{x) u < inf {aui + du \ i > 0} 

where, for a set 5 C Z, inf S denotes the minimal element of S, if one exists, or — oo, 
otherwise. We have 

-oo if Uu < 0, 



inf {a J + du\£>0} 



du otherwise. 



Hence H/oo ^ '^(Z^) is the empty set, if < for some u E f/(x). In this case, condition 3 
of Lemma [3] holds. Otherwise, we obtain p|,fc>o -^^^(^^) = Aueu{x) ^ ^ du- However, this is 
exactly the set R-^iZ""), by (g^]). In this case, condition 2 of Lemma [3] holds. Thus, we can 
apply Lemma [3] in both cases and conclude that wrs(i?) = f^i-^Q {Z^) . To summarize, 
wrs(i?) = if < for some u G f^(x). Otherwise, wrs(i?) = R~^{'L^). □ 

An immediate consequence is that the termination problem is decidable and that the 
weakest termination set is an effectively computable Presburger formula. 

Theorem 3. The termination problem is decidable for octagonal relations. Moreover, the 
weakest non-termination set of an octagonal relation is an effectively computable octagonal 
constraint. 

Proof. By Lemma[6l the weakest non-termination set of an octagonal relation is either empty 
or R~^{'L^). Moreover, Lemma [6] gives means to compute this set. Thus, the termination 
problem can be decided by checking whether wrs(i?) = 0. □ 

The following proposition relates values of entries in (Mlfc)|y to weights of runs of 
length A; -|- 2 in the even forward zigzag automata. 

Proposition 4. Let i?(x',x'), x = {xi, . . . , xat}, be a *-consistent octagonal relation, 
R{y-,y')-, y = {yi^ ■ ■ ■ ■,y2N}-, be a difference bounds representation of -R(x',x'), and let 
be the even forward zigzag automaton corresponding to R{y,y'). Then, the following 

assertions are equivalent for all 1 < i,j < 2N and all m > 0, 

(0) , (0) . 
7- to yj m 



(1) there exists an acyclic path p from yf*^ to yf*^ in 



(2) there exists a run vr in of length m + 2 such that win) = w(p) and vr is of the 



R 

form vr = I'^-j q ^ q' F'^f F^f where g, € {/, r, /r, rZ, _L}^^ are control 

states, n > 0, and w{'i:) = w{(t). 
and moreover, [M^)ij < w{7r) for each path vr of the above form. Moreover, there exists 
a path vr of the above form such that w{tt) = {M^m)ij. 

Proof. Follows from construction of A^ and the fact that (Mlm)jj is the weight of the 
minimal weight path from yf^^ to yf^^ in Q^, by Lemma [H □ 
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(c) A^^ " transition table for forward even zigzag automata 




(d) A run in zigzag automaton over a path in Qf^. 

Figure 6. (a) Qr - graph representation of i?(x, x'). (b) Qj^ - 8-times un- 
folding of Qr. (c) Common transition table of even forward zigzag automata, 
(d) a run of the zigzag automaton over a path in Q^. Indices of the initial 



control state indicate that the run encodes a path from to x 



(0) 



.(0) 



Example 6. Consider the set of variables x = {xi, . . . , X4} and a difference bounds relation 
R(x, x') = X2 —x'l < — 1 A X3 —X2 < A xi — X3 < A X4 — X4 < A X3 — X4 < 0. The graph 
representation Qji of the relation i?(x, x') is depicted in Figure [6] (a). Figure [6] (b) shows 
Grs, the 8-times unfolding of Qr. The transition table that is common to all even forward 
zigzag automata is given in Figure [6] (c) . An example of a run of A'j^ recognizing a path 
of constraints in Qj^ is given in Figure [6] (d). The word accepted by vr is a subgraph of Gf^ 

shown in Figure [6] (b). The cycle A : qi — h q2 — h (73 — h qi is taken twice in this run. The 
weights of the symbols on the run are w{Gi) = w{G2) = w{G4) = and ^(^3) = — 1. □ 

The following lemma gives several equivalent conditions for checking that an octagonal 
relation is well-founded. They will later be used to design an efficient polynomial time al- 
gorithm that computes the weakest recurrent set of an octagonal relation. These conditions 
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also provide basis for the proof of existence of linear ranking functions for well-founded 
octagonal relations which we give in the next section. 

Lemma 7. Let i?(x, x'), x = {xi, . . . ,xm}, be a *-consistent octagonal relation with prefix 
b and i?(y,y')5 y = {vii ■ ■ ■ ,y2N}, be the difference bounds encoding of ii(x, x'). Then, the 
following statements are equivalent. 

(1) i? is well-founded 

(2) / i?-"2(^JV) for some n2 > m > b 

(3) ^ for gome n2 > ni > 5^^ 

(4) there exists a path a.X.a' in of the form I^^j ^ q q F^-^ for some 

1 < < 2A^ and a control state q such that ?y(A) < 0. 

(5) R is well-founded 

Proof. (1 =^ 2) For a proof by contraposition, suppose that R~"'^{Z^) = R~^'^{'L^) for 
ah ns > ni > 6. Thus, = R-^{Z^) and consequently, wrs(i?) = i?-''(Z^), by 

LemmaO Since R is *-consistent, then clearly R~^{'L^) ^ 0. Combining the above, we infer 
that wrs(i?) = R^^{'L^) ^ 0. Thus, wrs(i?) ^ and R is not well-founded, contradiction. 

(1 ^ 3) Similar to (1 ^ 2). 

(2 ^ 1) For a proof by contraposition, suppose that R is not well-founded. By Lemma [6l 
wrs(i?) = R~^{Z^). Since wrs(i?) is the greatest fixpoint of prcjij, then clearly wrs(i?) = 
R-\Z^) = for ah n > b. Consequently, = wrs(i?) = for ah 

n2 > ni > b. 

(3 ^ 4) / i?~"2(^Af)_ Let 712 > ni > such that 7^ 

Then, i? "^(Z^^) 7^ i? "^(Z^^) too by contraposition: For all m > 0, the tightly closed 

difference bounds encoding of R~^{'L^) is {M^m)iy^ a restriction of Af-^™ to the entries 

corresponding to unprimed variables. If R "^(Z^^) = R "^(Z^^), then [M^^)]^y = 
(M^„2)4,y, by Proposition H This implies that (MlnJ^y = {ML^^)^y, by Theorem H 
Consequently, R~^^{Z'^) = R~''^^(Z^), since {M^„-)^y are the tight DBM representations 
of i?-"j (Z^), J = 1,2. 

Since ii~"'(Z2^) / i!""'(Z2^), then :R (Z^^ ) D i2""'(Z2^), by monotonicity of 
pre^. Consequently, {Mj^-i)ij > [M^2)i,j foi^ some 1 < ^ 7^ j < 2A^, by Proposition [2j 

By Proposition^ there exists a path vr in Z-^ from I'^^- to F*^-^ such that w{'k) = {M^n-i^)ij. 
Moreover vr has length ni + 2 and can be written as vr = I'^^- q q' F^f F^^ 
where w(vr) = w{a). Similarly, where is a path vr' from I^^- to F^^ of length 71-2 + 2 such 
that u;(7r') = {M±u2)i,j and 7:' = I^-^. ^ q ^ q' ^ F^f A F"^ where u;(vr') = ^^(ct'). 

We prove that \a'\ > ni by contradiction. Suppose that \a'\ < ni and denote n = \a'\. 
The path d = I-^j q ^ q' F^f {M^n)ij < w{e), by Proposition d We obtain that 
{M^)ij < w{7:') = {Mj^n2)ij, by the fact that w{6) = w{a') = w{'k') and by Proposition 
m Since n < ni < n2, we infer that {M^„)ij = (M^ni)jj = {M^2)i,j, by monotonicity of 
prejij. Contradiction with (Mini)jj > (M-inajjj. 

Since \a'\ > ni > 5^^, there are cycles (at least one) in a'. Observe that: 
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• None of these cycles can be positive, since positive weight would imply that vr' is 
not a minimal run of length n2, which contradicts the assumption. 

• Not all these cycles are zero-weight, which can be demonstrated by contradiction. 
Suppose all cycles are zero- weight, erase all of them from a' and denote the re- 
sulting path p and its length n = \p\ < 5^^. Next, build 9 = a[.p.a'^. We infer 
that {Mj^)ij < w{-k') = {Mj^n2)i,j, since w{9) = w{p) = w{a') = w{'k') and by 
Proposition m Since n < ni < n2, we infer that {M^n)ij = (M^njij = (Min2)ij, 
by monotonicity of pre^. Contradiction with (M^ni)ij > {M^2)i,j- 

The above proves that there exists at least one negative- weight cycle in a'. Consequently, 
vr' can be split into tt' = a.X.a' where A is a negative weight cycle. 

(4 =^ 5) By Proposition m the length of a. a' is \(J.a'\ = m + 2 for some m > and a.a' 
starts in I^^- and ends in F^^ for some 1 < i, j < 2N . Let p = |A|. Clearly, {ML,nj^kp)i,j ^ 

'•^ Ft 

w{a.X^.(j') for all k > 0, hy Proposition [H The infinite sequence {■w{a.X'^ .a')}k>Q is strictly 

decreasing and thus inf{w;(cr.A^.cr')}fc>o = — oo. Consequently inf{(Ml„4_fcp)jj}fc>o = — oo 

R 

too. By monotonicity of pre^, 

inf{(M|m)jj}^>o = inf{(Ml„+fej,)ij}fc>o. 

Thus, inf {(M-|m)j J }m>o = —oo. Consequently, wrs(ii) = f]m>oR '"(Z^) = and R is 
well-founded. 

(5 ^ 1) If is well-founded, then nm>o^~™(^^) = 0- Thus, there exist I <i,j < N 
such that inf{ (Mim)j J }m,>o = — oo. Since (M^m)jj < (Mim)jj for all m > 0, by Theorem 
[21 we infer that inf{(M^m)jj}m>o = — oo too. Hence, f]^>Q R""^ {Z^ ) = and R is well- 
founded. □ 

The main result of this section is the following algorithm which computes the weakest 
non-termination set of an octagonal relation, in time polynomial in the number of variables 
and logarithmic in the maximal absolute value among all coefficients of the relation. 

Algorithm 1 Weakest Non-termination Set for Octagonal Relations 

input An octagonal relation ii C x Tj^, over x = {xi, . . . , xn} 

output The weakest non-termination set of R 
1: function WNT(i?) 
2: V ^ R 

3: for alH € 1,2, ...5A do 

4: V^VoV 

5: ii V 4^ false then return 

6: W ^VoR 

7: if V-'^iZ'') = VF-i(Z^) then return ^-^(Z^) 
8: elsereturn 



Theorem 4. Given an octagonal relation R Q x Z^, whose maximal absolute value 
among all coefficients is p, Algorithm [1] computes wnt(i?) in at most 0{N^ ■ (log/i -|- N)) 
time. 
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Proof. Note that for all h > 1, k2 = 2ri°S2'^'il, can be computed in [log2 /ci] time by 
iterating the assignment R <— R o R. Observe that 5A^ > log2(5^''^) = 2 • log2 5 • n for 
all n > 1. Thus, 2^^ > 5^^ for all n > 1. Notice that after executing hne El V = R""^, 
W = R''^, where ni = 2^^ and re2 = 2^^ + 1. Clearly, n2 > ni > 5^^. 

Consider first the case when R is ^-consistent. If the test on line [7] succeeds, then 
= = wrs(i?) by Lemma [3] and the algorithm returns the correct result. If the 

test fails, then ^ R~^^{'L^) and consequently, wrs(-R) = by Lemma[71 and the 

algorithm returns the correct result. Second, consider the case when R is not *-consistent. 
Then the test on line [5] will eventually pass and the algorithm correctly returns 0. 

To evaluate the time complexity of Algorithm [H notice that the main loop is iterated at 
most 5A^ times, and each iteration will apply the Floyd- Warshall algorithm for to compute 
the composition (and check the consistency) of (the DBM encoding) of V , which corresponds 
to powers i?™", for m < 2^^ . Since the graph unfolding Q"^^ , corresponding to R?^'^ has 
N ■ 2^^ nodes, each elementary path in this graph is of length at most • 2^'^. Hence 
the maximum absolute value among the coefficients of V, at any iteration, is bounded by 
^J'max = fi - N ■ 2^^ . Moreover, any run of the Floyd- Warshall algorithm for V takes at most 
0{N^ ■ log{fj,rnax ' A)) = ©(A^ • (log /U + A)) time. Hence the overall time complexity is at 
most 0(A4 • (log^ + A)). □ 



4.6. On the Existence of Linear Ranking Functions. A ranking function for a given 
relation R constitutes a proof of the fact that R is well-founded. We distinguish here two 
cases. If R is not ^-consistent, then the well-foundedness of R is witnessed simply by an 
integer constant i > such that i?* = 0. Otherwise, if R is *-consistent, we need a better 
argument for well-foundedness. In this section, we show that for any *-consistent well- 
founded octagonal relation i?(x, x'), x = {xi, . . . , xat}, with prefix b, the (strengthened) 
relation defined by (3x.'.R^) A R, where B = min{6, 5^^} is well-founded and has a linear 
ranking function even when R alone does not have one. 

Definition 14. Given a relation defined by i?(x,x'), a linear ranking function for R is 
a term /(x) = J2i=i ^i^i such that for all valuations z^, z^' : x ^ Z: 

(1) / is decreasing: if v,!^' \= i?(x, x'), then f{i^) > f{y'), 

(2) / is hounded: if u^u' \= R{x,x'), then /(z^) > h and f{i^') > h for some /i E Z. 

The main result of this section is the following: 

Theorem 5. Let R{x, x') be a *-consistent octagonal relation, with prefix 6 > 0. Then, 
letting B = min{6, 5^^}, R is well-founded if and only if the relation defined by {3x.' .R^)AR 
is well founded if and only if (Bx'.R^) A R has a linear ranking function. 

The first part of the theorem is proved by the following lemma: 

Lemma 8. Let i?(x,x') be a relation, and m > be an integer. Then wrs(i?) = if and 
only if wrs(i?m) = 0, where Rm is the relation defined by (3x'.i?™) A R. 

Proof By the fact that R <J= (Bx'.i?™) A R and the monotonicity of wrs. "<^" We 

prove the dual. Assume that wrs(i?) ^ i.e., there exists an infinite sequence of valuations 
(T = {z^ : X — )• Z}j>o such that (z^j(x), fj-(_i(x)) € R, for all i > 0. Then all fi(x) belong 
to the set defined by Bx'.i?"^, hence a is an infinite sequence for the relation defined by 
{Bx.'.R"') A E as weh. □ 
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It remains to prove that the witness relation defined by (Bx'.ii^) A R has a Unear 
ranking function, provided that it is weh-founded. The proof is organized as follows. We 
first prove the existence of such function for difference bounds relations. By Lemma d if 
the difference bounds relation R is well-founded, then the zigzag automaton must have 
a cycle of negative weight. Lemma [9] and [11] use the structure of this cycle, representing 
several of the constraints in i?, to show the existence of the linear ranking function for 
the witness relation (3x'.i?^) A R. Second, using the result of Lemma [7] on equivalence of 
well-foundedness of an octagon R and its difference bounds representation R, we prove the 
existence of linear ranking function for octagonal relations in Lemma [T^l 



4.6.1. Linear Ranking Function for Difference Bounds Relation. We first prove the existence 
of a linear decreasing function, based on the existence of a negative weight cycle in the zigzag 
automaton. 

Lemma 9. Let i?(x, x'), x = {xi, . . . , jjtv} be a *-consistent and well-founded difference 
bounds relation with prefix & > 0. Then, there exists a linear function /(x) such that for 
all valuations : x — )• Z, i/' : x' ^ Z satisfying z/, v' \= R{x, x'), we have /(s) > f{s'). 

Proof. By Lemma [3 there exists a path a.X.a' in Z-^ of the form I^j qi Qi —S' F'^-^ 
for some I < i,j < 2N and a control state qi such that w{X) < 0. Let denote the length of 
A by p and let write A as A = gi — ^ q2 ■ ■ ■ qp qi- Let Gj = (xUx', Ej) for all 1 < j < p. 

Consider the following sum of all constraints represented by edges appearing in the 
zigzag cycle (note that the sum of weights of these edges equals w{X)): 

El E (2^. - ^'j) + E (^^ - xj) I < »(A) (4.5) 
The left-hand side of ()4.5p can be written equivalently as 

E E E E {-X,+X,)+ E {-x[+x[) ) (4.6) 

l<j<p \ l<z<n, l<i<n, l<i<n, 

\(qj)i=r (qj)i=l (qj)i=lr {qj)i=rl 

and thus, after simplifications (— +Xi = 0, —x[ +x[ = 0), (|4.5p can be written equivalently 

as 

E I H {X,-X[)+ {-X^+x[) \<W{\) (4.7) 

l<j<p \ l<i<n, \<i<n, 
^(<lj)i=r (qi)i=l 

Let / denote the negated sum of all unprimed terms in (j4.6p and /' denote the sum of all 
primed terms in (j4.6p . Then, clearly /' = /[x'/x]. Thus, ()4.7p can be written as 

f'-f< w{X) (4.8) 

Notice that since w{X) < 0, we establish that f — f < hence / is strictly decreasing. 
Formally /(s) > f'{s) for all valuations s,s' such that s,s' \= i?(x, x'). □ 
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Example 7. (ctd.) We illustrate the construction of linear decreasing function. R is well- 
founded and by Lemma[71 there exists a path depicted in Figure [6] (d) where w(A) < 0. We 
follow the construction from Lemma [9] and sum the edges in A. We obtain xi — X3 + X3 — 
X2 + X2 — + X4 — X4 + X4 — X4 + ^4 — < — 1 , which simplifies to xi + X2 + X3 — 8x4 — (x'^ + 
^2 + ^3 ~ 3x4) < —1. Letting /(x) = — (xi + X2 + X3 — 8x4), we have that /(x) > /(x'). □ 

The next auxiliary lemma proves that if the difference bounded in R)' for 

some A; > 1, it is bounded in too. 

Lemma 10. Let i?(x, x'), x = {xi,...,XAr} be a *-consistent difference bounds relation 
with prefix 6 > and period c > 0. Then, for any 1 < i,j < N and /c > 0, we have 
{M^^)ij < 00 ^ {M^B)ij < 00, where B = min{6, 5^}. 

Proof. (Case 0<k<B)By monotonicity of pre^, {M'^k^j > {M*^B)i,j- Thus if {M*^k)ij < 
00, then clearly {M'^g)ij < 00. 

(Case B < k and B = b) Let p = [^] , and A:' = 6 + pc. Note that R''' = 

i?b^c(x,x',^)[p/£], where -Rb^c(x, x', ^) is the closed form of {R^^'^^}i>o. Since k' > k, by 
the same argument as for case (1 < A; < 6), (M^^., )jj < 00. Since k' = b + pc, then 

Xi — Xj < ai + d, where a,d & Z, is one of the conjuncts of the closed form i?b^c(x, x', £). 
By definition of i?fe^c(x, x', £), we have i?'' 4^ i?b^c(x, x',£)[0/^] and consequently, we have 
(M^j)jj = a- + d = d<oo. 

(Case B < k and B = 5^) By Proposition|H there exists a path vr = (Ti.(T2.(T3.(T4 in Z-j^ of 
length k + 2 such that w{-k) = {M^k)i,j- Let a'2 be a path obtained by erasing all cycles from 
(72 and let construct vr' = ai.a2-crs. Let h = \a2\- Consequently, (M^ft)jj < w^n') < 00. 
Since h < 5^, then 00 > (M^ft)jj > {M^^j^)ij by monotonicity of pre^. □ 

Last, we prove that the function / of Lemma[9]is bounded, concluding that it is indeed 
a ranking function. Since each run in the zigzag automaton recognizes a path from some 
Xi to some xj, a run that repeats a cycle can be decomposed into a prefix, the cycle itself 
and a suffix. The recognized path may traverse the cycle several times, however each exit 
point from the cycle must match a subsequent entry point. These paths from the exit to 
the corresponding entries give us the necessary lower bound. In fact, these paths appear 
already on graphs GRi for i> B, where b is the prefix of R and B = min{6, 5^}. Hence 
the need for a strengthened witness (Bx'.i?^) A R, as R alone is not enough for proving 
boundedness of /. 

Lemma 11. Let R{x,x'), x = {xi, . . . ,Xjv} be a *-consistent and well-founded difference 
bounds relation with prefix 6 > 0. Then, letting B = min{6, 5^}, there exists a linear 
ranking function for (3x'.i?^) A R. 

Proof. Let / be a linear decreasing function from Lemma [9j Let A : qi — > q2 ■ ■ - Qp — ^ Qi 

be the negative cycle used to construct /, and qi F'^^ be the suffix from Lemma [H By 
construction of the zigzag automaton, for any 1 < j < p, 

\{i\{Qjh=r}\ = \{i\{q,h = l}\ 

It follows from (j4.7p that each {qj)i = r contributes to / with a term — Xj and that each 
{qj)i = I contributes to / with a term +Xj and that each {qj)i {f,^} doesn't contribute 
at all. We now demonstrate that for each 1 < j < p, there exists a bijective matching 
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Figure 7. Constructing the ranking function. 



I3j : {i I = r} — )• {i I = /} such that for any 1 < ii < n s.t. f3j{ii) = 12, the 

difference Xi^ — Xi^ is bounded in (3x.'.R^) A i?, formahy (3x'.i?^) A i? =^ (xjj — > /i) for 
some /i G Z. 

Let J € {1, . . . By construction of the zigzag automaton, the concatenated graph 
GjGj+i . . . Gpa' connects each {qj)i^ s.t. {qj)ii = r with a unique (9j)i2 s.t. (9^)12 = I- 
This induces the required bijection 13 j. S subgraph of ^^^''^ ', it 

follows that there is a path x^^*^ x^^^ in Q^j^^'^ ', in other words, =^ — Xjj < ^ 

for some /i € Z. By Lemma [TOl i?^ =^ Xi^ — Xi^ < /i' for some h' £ Z too. Clearly, 
(3x'.i?^) A R ^ Xi-^ — < /i' too. Since Xj^ — < h' if and only if Xi^ — Xi^ > —h', we 
obtain the required property. 

Now since / = J2i<j<pJ2i<ii,i2<n{xi2 — Xj^) and since we proved that each of the 

I3j{ii)=i2 

differences — Xi^ in the sum is bounded in (Bx'.i?-^) A R, it follows that / is bounded in 
(3x'.i?^) A R too, formally (3x'.i?^) A R ^ {f > h) for some h £ Z. 

By Lemma El / is decreasing for R. Thus, / is decreasing for a stronger relation 
(3x'.i?^) A R too, since (3x'.i?^) A R ^ R. Thus, / is both decreasing and bounded for 
(Bx'.R^) A R and is a ranking function for {3x'.R^) A R. □ 

Example 8. (ctd.) We illustrate the boundedness of / = — (xi +X2 +X3 —8x4) (see Figure 
[7])- First, compute B = min{6, 5^} = min{3,5*^} = 3. Since there is a path Xg^^ x^^^ 
in G3G4 (and hence in Gfi), then R^ (x2 — X4 < —1), and by Lemma 110^ we obtain 
R =^ (x2 — X4 < — 1). Similarly, since there is a path Xg '^X4 in G2G3G4 (and hence in 
Gjl), we obtain R^ =^ (X3— X4 < — 1). Similarly, since there is a path Xj^^^ X4'^-' in G1G2G3G4 
(and hence in Gfi), we obtain 72^ ^ (xi — X4 < —1). Summing up these inequalities, we 
obtain that /(x) = — (xi +X2 +X3 —8x4) > 3 and, thus (3x'.i2^) A i? (/ > 3). 

As an experiment, we have tried the RankFinder [27\ tool (complete for linear ranking 
functions), which failed to discover a ranking function on this example. This comes with no 
surprise, since no linear decreasing function that is bounded after the first iteration exists. 
However, RankFinder finds a ranking function for the witness relation (Bx'.i?'^) A R 
instead. □ 
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4.6.2. Linear Ranking Functions for Octagonal Relations. In the rest of this section, let us 
fix the sets of variable x = {xi, . . . ,xn} and y = {yi, . . . , y2N} for some > 1. We first 
prove two technical propositions. 

Proposition 5. Let i?(x, x') be a *-consistent and well-founded octagonal relation, R{y, y') 
be its difference bounds encoding and let /(y) be a linear ranking function for R{y,y'). 

Then, the function / f[xi/y2i-i, —Xi/y2i\iLi, is a linear ranking function for i?(x, x'). 

Proof. If / is decreasing, then /(v) > /(v') for each (v, v') \= R{y,y') where v, v' are 
valuations of the form 

V = {vi,-vi, . . .,vn,-vn), v' = {v[, -v[,.. .,v'^, -v'n). 

Recall that by Equation (fOj) . 

N 

4^ {3y2,y4,---,y2N • 0A /\ y2i-i = -y2i)[xi/y2i-i]f=i 

i=l 

for each octagonal constraint (j). Defining / f[xi/y2i-i, —Xi/y2i]^i, it follows by the 
above observations that /(v) > /(v') for each (v, v') |= i?(x, x'). Hence, / is decreasing 
too. Similarly, we can prove that / is bounded as well. Since / is clearly linear by definition, 
it follows that it is a linear ranking function for i2(x, x'). □ 

Proposition 6. Let -R(x, x') be a *-consistent and well-founded octagonal relation, i?(y, y') 
be its difference bounds encoding and let /(y) be a linear ranking function for (3y' .R )AR, 

m > 0. Then, / = /[xj/y2i-i, —Xi/y2i]f=i is a linear ranking function for (Bx'.ii™) A R. 
Proof. By the hypothesis, /(y) is a linear ranking function for a difference bounds relation 

(3y'.-R™) Ai?. By Proposition [5l /(x) is a linear ranking function for (By'.i?™) A R. Observe 
that ___________ 

(3x' . R'^)AR ^ (3x' . A R (by Equation MA\\ ) 

^ (3x' . i?™) A R (by definition of ^) 

^ (3y' . R^) A R (by Corollary [I]) 

Thus, /(x) is a linear ranking function for (3x' . i?™) A i?. □ 

Finally, we show that for each *-consistent and well-founded octagonal relation, the 
corresponding witness relation has a linear ranking function, which proves the second part 
of Theorem [5j 

Lemma 12. Let i?(x, x') be a *-consistent and well-founded octagonal relation with prefix 
b. Then, letting B = min{6, 5^^}, there exists a linear ranking function for (3x'.i?^) A R. 

Proof. By Lemma El R{y, y') is well-founded too and moreover, R{y, y') is ^-consistent 
by Theorem [TJ Let b be the prefix of R and define B = min{6, 5^^}. By Lemma II H 

there exists a linear ranking function / for (3x'.i? ) A R. By Proposition [6l the function 

-Xi/y2i]i=i is a linear ranking function for (3x'.i?^) A R. To see that / is 
a linear ranking function for (3x'.i?^) A R too, consider arbitrary term yi — yj considered 
in the proof of Lemma [TTl If 6 > 6, then the boundedness argument {yi — yj is bounded in 
R^) follows by monotonicity of pre^ and is similar to the first case of the proof of Lemma 
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[TOl If 6 < 6, one can use a similar argument as in the second case of the proof of Lemma 
[To] and show, using the closed form of R instead of R, that yi — yj is bounded in R'^ too. □ 

5. Linear Affine Relations 

The previous section was concerned with computing weakest non-termination preconditions 
for non-deterministic integer relations (octagonal relations). Here, we present linear affine 
relations which are a general model of deterministic transition relations. Linear affine rela- 
tions are conjunctions of equalities of the form x' = aixi+. . .+a„Xn+6, where ai, . . . , a„ G Z 
are integer coefficients, and Presburger definable conditions on the unprimed variables 
xi, . . . ,Xn- First, we show that the weakest recurrent set of a linear affine relation R can be 
computed as the limit of a descending Kleene sequence Z'^ 5 preniTj^) 5 pre\{I?^) 2 •••• 
Second, this set can be defined in Presburger arithmetic for a subclass of afhne relations 
with the finite monoid property (Section 15. 3p . Finally, we relax the finite monoid condition 
and describe a method for generating sufficient termination conditions, i.e. sets 5" € 
such that S fl wrs(i?) = 0, for the class for polynomially hounded affine relations (Section 

[531). 

Definition 15. Let x = (xi, . . . ,xm) be a vector of variables ranging over Z. A relation 
R € X Z^ is an affine relation if it can be defined by a formula i?(x,x') of the form 

i?(x,x') ^ x' = Axx + b A (/>(x) (5.1) 

where A G Z^^^, b G Z^, and (/> is a Presburger formula over unprimed variables only, 
called the guard. The formula x' = A x x + b, defining a linear transformation, is called 
the update. 

5.1. Background on Linear Algebra. We first recall several notions of linear algebra, 
needed in the following. A complex number r is said to be a root of the unity if r"^ = 1 
for some integer d > 0. If yl G Z"^" is a square matrix, and v G is a column vector of 
integer constants, then any complex number A G C such that Av = Av, for some complex 
vector V G C", is called an eigenvalue of A. The vector v in this case is called an eigenvector 
of A. It is known that the eigenvalues of A are the roots of the characteristic polynomial 
Pa{x) = det(^ — xin) = 0, which is an effectively computable univariate polynomial. The 
minimal polynomial of A is the polynomial of lowest degree such that ^a{A) = 0. By 
the Cayley-Hamilton Theorem, the minimal polynomial always divides the characteristic 
polynomial, i.e. the roots of the former are root of the latter. 

If Ai, . . . , Am are the eigenvalues of A., then A^, . . . , A^ are the eigenvalues of A^ , for all 
integers p > 0. A matrix is said to be diagonalizahle if and only if there exists a non-singular 
matrix U G C^^^ and a diagonal matrix with the eigenvalues Ai, . . . , Am occurring on the 
main diagonal, such that A = U ^ D x U~^. This is the case if and only if fiA has only 
roots of multiplicity on^. 



^See e.g. Thm 8.47 in [5]. 
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5.2. Termination Preconditions for Deterministic Relations. First, we show that 
the pre- image function of a deterministic relation is R-continuous. Since affine transforma- 
tions are deterministic, this means that their weakest non-termination preconditions can 
be computed as limits of descending Kleene sequences. Let x be a set of variables in the 
following. 

Lemma 13. Let ii C x be a deterministic relation. Then, pre^ is H-continuous. 

Proof. Let / = {1, . . . ,d}, d G Nqo, and {Si C Z^'jjg/ be a potentially infinite collection of 
sets. We prove that: 

Pre/j(nie/ Si) = flie/ PreR(5'i). 
"=^" By monotonicity of pre^ij, we have prej:j(p|jg/ Sj) C prej:j(5j) for alH E / and hence, 

P^^RiCliei '^i) ^ CliGi P^^ni^i)- ''^ ^ CliGi P^^R^'^i) ■ Then, there exists Vi S Si such 

that {v,Vi) G R for all i ^ I. Since R is deterministic, then vi = Vi for alH G / and hence 
t^i G ClielSi- Consequently, v G pre^dHie/ -^i)- □ 

Second, we prove that the closed form of a deterministic relation can be defined in 
Presburger arithmetic whenever the closed form of its update can be defined in Presburger 
arithmetic. Concretely, the (logical definition of) a deterministic relation R can be split 
into a guard and a deterministic update, and the closed form of R can be computed based 
on the closed form of the update. 

Lemma 14. Let i? C x Z'' be a *-consistent deterministic relation and v^(x) be a guard. 
Then the transitive closure of the relation R A if can be defined as: 

(i? A 99)+(x,x') ^ 3A; > . ^(/c, x, x') A VO < i < k 3y . R{i,x,y) A ip{y) 

where R defines the closed form of R. 

Proof. Let i^, v' G Z'' be a pair of valuations, such that v' \= [R A 9?)^. Then there 

exists n > such that v' \= {RA Consequently, there exists a sequence of valuations 
= i/Q,i/i, . . . = v' G such that fj, Vi^i \= R A if. By Definition [4l we have that 
\= R{n, uq, Un) and |= R{i, vq, Vi) A </?(fi), for all i = 0, . . . , n — 1. 

"'^=" Let v,v' G 'L^ be two valuations such that |= i?(n,z/, z/') for some n > and for all 
i = 0, . . . , n — 1 we have |= R{i, v, Vi) and \= (p{i'i), for some valuation Ui of x. Since R{n) ^ 
R^, by Definition m there exists a sequence of valuations v = u'^^u'i, . . . = v' ^ 72^ such 
that fj', v'^j^i \= R. By the fact that R was assumed to be deterministic, we have Vi = for 
all i = 0, . . . , n — 1, hence i^l |= for alH = 0, . . . , n — 1. Clearly then i^, ly' \= (R A 93)+. □ 

Since linear affine relations are deterministic, the weakest recurrent set of arbitrary 
linear affine relation R can be computed as wrs(ii) = p|m>o pre^(Z^), by Lemma [T3l and 
Lemma [3l Hence, the weakest recurrent set can be defined using the closed form of R: 

wrs(i?) = Vfc > . 3x . ^(x,x , k) 

By defining R as i2,u(x, x') A 0(x) where i?,u(x, x') is a deterministic update and cj){x) is 
a Presburger guard, we can write the closed form of R, by Lemma [TH as 

R{k, X, x') ^ Ru{k, X, x') A VO < £ < 3y . Ru{(, x, y) A ip{y) 

Then, the definition of the weakest recurrent set of a linear affine relation is (after the 
elimination of the trailing existential quantifier and renaming i with k and y with x'): 

wrs(i?)(x) = Vfc > . 3x' . Ru{k,x,x) A ip{x) (5.2) 
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5.3. Finite Monoid AfRne Relations. The class of finite monoid affine relations was 
the first class of integer relations for which the transitive closure has been shown to be 
Presburger definable, by Boigelot [5]. Informally, an affine relation is a finite monoid relation 
if the set of powers of its transformation matrix is finite. Originally, Boigelot characterized 
this class by two decidable conditions in [5] (we report on these conditions in Lemma [6|). 
Later, Finkel and Leroux noticed in [18] that Boigelot's conditions correspond to the finite 
monoid property, which is also known to be decidable |24j . 

Given a vector x = (xi, . . . , xjv) of variables, an affine transformation 

fi(x,x) ^ x' = Axx + b A </>(x) 

where A € Z^^^, b E Z^, is said to have the finite monoid property [5l [18] if the monoid 
of powers of A, denoted as {^AA, x), where A4a = {A^ \ i > 0}, is finite. Here A^ = I]\f 
and A^ = Ax A^~^, for i > 0. It has been shown in [181 that finite monoid property can be 
equivalently characterized by the following two conditions. 

Theorem 6. [[5j, [18j] An affine transformation i? = ^ x x + b, where A G Z^^^ and 
b € Z'^ has the finite monoid condition if and only if there exists p > such that the 
following hold: 

(1) every eigenvalue of A^ belongs to the set {0, 1}, 

(2) the minimal polynomial iiap{x) of A^ belongs to the set {0,x,x — l,x(x — 1)} (or, 
equivalently, A^ is diagonalizable) . 

Both conditions in the above theorem are decidable Olll]- It was shown in [5l 1181 18] 
that the closed form of (the update part of) a linear affine transformation with the finite 
monoid property is Presburger definable. This entails the decidability of the universal 
termination problem for finite monoid affine relations. 

Theorem 7. The weakest non-termination precondition of a finite monoid affine relation 
is Presburger definable and effectively computable. Consequently, the termination problem 
is decidable for finite monoid affine relations. 

5.4. Polynomially Bounded AfRne Relations. In the following, we study another sub- 
class of affine relations with linear guards and transformation matrices whose eigenvalues 
are either zero or roots of the unity. 

Definition 16. If x = (xi, . . . ,XAr) is a vector of variables ranging over Z, a polynomially 
hounded affine relation is a relation of the form 

i?(x,x') ^ x' = ^xx + b A Cx>d (5.3) 

where A G Z"^", C € Z^^" are matrices, and b G Z", d S Z^ are column vectors of integer 
constants and moreover, all eigenvalues of A are either zero or roots of the unity. 

Note that, if j4 is a finite monoid matrix, then all eigenvalues of A are either zero or roots 
of the unity. Thus, the condition on A is weaker for polynomially bounded affine relations. 
However, since the guard of finite monoid relations is more general (Presburger), the two 
classes are incomparable. 

The closed form of polynomially bounded affine relations cannot be defined in Pres- 
burger arithmetic any longer, thus we renounce defining wrs(-R) precisely, and content our- 
selves with the discovery of sufficient conditions for termination. Basically, given a linear 
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affine relation R, we aim at finding a disjunction (/>(x) of linear constraints on x, such that 
(f) A wrs(i?) is inconsistent without explicitly computing wrs(i?). For this, we use several 
existing results from linear algebra (see, e.g., [17j). In the following, it is convenient to work 
with the equivalent homogeneous form: 

R{x,x') = Chyih > A x'/i = Ahy^h 

The weakest recurrent set of R can be then defined as: 

wrs(i?) = 3xN+i . Vfc > . ChA^-y^h > A xn+i = 1 (5.5) 

Definition 17. A function / : N — > C is said to be a C-finite recurrence if and only if: 

f{m + d) = ad^ifim + d — 1) + . . . + aif{m + 1) + aof{n), Vm > 

for some d G N and oq, ai, . . . , aa-i € C, with a^^^i 7^ 0. The polynomial x"' — ad-ix'^~^ — 
. . . aix — uq is called the characteristic polynomial of /. 

A C-finite recurrence always admits a closed form. 

Theorem 8 ([17J). The closed form of a C-finite recurrence is: 

f{m)=p,{m)XT + ...+Psim)XT 

where Ai,...,As G C are non-zero distinct roots of the characteristic polynomial of /, 
and pi, . . . ,ps G C[m] are polynomials of degree less than the multiplicities of Ai, . . . , Ag, 
respectively. 

Next, we define the closed form for the sequence of powers of A. 

Corollary 2. Given a square matrix A S Z^^^, we have: 

{A"'),j = Pi,ij{m)XT + . . . +p,,,j(m)A™ 

where Ai, . . . , As G C are non-zero distinct eigenvalues of A, and pi^ij, ■ ■ ■ ,Ps,i,j & C[m] are 
polynomials of degree less than the multiplicities of Ai, . . . , A^, respectively. 

Proof. If det(A — x/„) = x*^ — a^_ix'^~^ — ... — aix — oq is the characteristic polynomial of 
A, then we have 

A'^ - Od-i^'^"^ - ... - aiA- ao = 
by the Cayley-Hamilton Theorem. If we define fij{m) = {A^)ij, then we have 

j^m+d ^ ad_iA'"+'^~i + . . . + ai^™+i + ao^™ 
fijim + d) = ad-ifij{m + d-l) + ... + aifij{m + l) + aofij{m) 

By Theorem [HI we have that 

{A"'),j = pi,ij{m)XT + . . .+Ps,,jim)XT 

for some polynomials pi^ij, . . . ,ps^ij € C[m] of degrees less than the multiplicities of 
Ai, . . . , As, respectively. □ 
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Lemma 15. Given a square matrix A € Z , whose non-zero eigenvalues are all roots of 
the unity. Then {A'^)ij G Q[?n], for all 1 < i,j < N, are effectively computable polynomials 
with rational coefficients. 

Proof. Assume from now on that all non-zero eigenvalues Xi,... ,Xs ol A are such that 
A^'^ = ... = Af" = 1, for some integers di,...,ds > 0. The method given in [5j for 
testing the finite monoid condition for A gives also bounds for di , . . . , dg . Then we have 
Af = . . . Af = 1, where L = lcm((ii, . . . , dg). As di, . . . ,ds are effectively bounded, so is 
L. By Corollary [21 we have that, if m is a multiple of L, then {A'^)ij = pij{m) for some 
effectively computable polynomial G C[m] i.e., for m multiple of L, A^ is polynomially 
definable. But since pij{m) assumes real values in an infinity of points m = kL, k > 0, 
it must be that its coefficients are all real numbers, i.e. pij G M[m]. Moreover, these 
coefficients are the solutions of the integer system: 

r K,,(L) = (A^),, 

\ Pi,,{{d+1)L) = 

Clearly, since A G Z^^^, Ap G Z^^^, for any p>0. Hence pij G Q[m]. □ 

We turn now back to the problem of defining wrs(-R) for linear affine relations R of the 
form (15. Sp . First notice that, if all non-zero eigenvalues of A are roots of the unity, then 
the same holds for Ah (|4]). By Lemma [T5| one can find rational polynomials Pij{k) defining 
{A^)ij, for all 1 < i,j < N. The condition (15. Sp resumes to a conjunction of the form: 

n 

wrs(i?)(x) = /\ VA; > . Pi(A;,x) > (5.6) 

i=l 

where each Pi = aj^rf(x) • A;'^ -|- . . . -|- aj^i(x) • k + aj.o(x) is a polynomial in k whose coefficients 
are the linear combinations Oj^^ G Q[x]. We are looking after a sufficient condition for 
termination, which is, in this case, any set of valuations of x that would invalidate (|5.6p . 
The following proposition gives sufficient invalidating clauses for each conjunct above. By 
taking the disjunction of all these clauses we obtain a sufficient termination condition for 
R. 

Lemma 16. Given a polynomial P{k,ji.) = ad(x) ■ k'^ + . . . + ai(x) • k + ao(x), there 
exists n > such that P(n,x) < if, for some z = 0, 1, . . . , d, we have arf_j(x) < and 
arf(x) = ad_i(x) = . . . = ad_i+i(x) = 0. 

Proof. Assuming the condition arf_i(x) < and arf(x) = arf_i(x) = . . . = ad-i+i(x) = 0, for 
some < i < d, we have P{k, x) = ad_j(x) ■ k'^ + . . . + ai(x) • k + ao(x). Since the dominant 
coefficient arf_j(x) is negative, the polynomial will assume only negative values, from some 
point on. □ 

Example 9. Consider the following program [T5], and its linear transformation matrix A. 

while (x > 0) / 1 1 \ / 1 k \ 

x' = x + y ^= 011 ^^= 01 k 

y' = y + ^ \o 1 J \oo i J 

The characteristic polynomial of A is det(yl — A/3) = (1 — A)^, hence the only eigenvalue 
is 1, with multiplicity 3. Then we compute A'' (see above), and x' = x + k ■ y + ^^^^^z 
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gives the value of x after k iterations of the loop. Hence the (precise) non-termination 
condition is: VA; > . | • /c^ + (y — |) • /c + x > 0. A sufficient condition for termination is: 
(z<0)V(z = OAy<0)V(z = OAy = OAx<0) □ 

We can generalize this method further to the case where all eigenvalues of A are of the 
form q-r, with G M and r G C being a root of the unity. The main reason for not using this 
condition from the beginning is that we are, to this point, unaware of its decidability status. 
With this condition instead, it is sufficient to consider only the eigenvalues with the maximal 
absolute value, and the polynomials obtained as sums of the polynomial coefficients of these 
eigenvalues. The result of Lemma [TCI and the sufficient condition of Lemma [TU] carry over 
when using these polynomials instead. 

6. Termination Analysis of Integer Programs 

In this section, we extend the computation of weakest non-termination preconditions from 
simple conjunctive loops to programs with possibly nested loops. The method described 
here applies the transition invariants technique, initially developed for proving program 
termination [28], to the computation of weakest non-termination preconditions. 

The method can be summarized as follows. Suppose that R is the (disjunctive) transi- 
tion relation of a program. Our method first computes (1) a transition invariant, i.e., a re- 
lation Rf U . . . U ii* which overapproximates the transitive closure of R restricted to states 
reachable from a set Init of initial configurations, and (2) the reachability relation, defined 
as the restriction of the transitive closure of the transition relation i?"*" to the initial program 
configurations Reach = {(s, s') | s G Init, {s, s') G R'^}. For computing R'^ we can use, e.g., 
the method described in [10]. Next, we compute the weakest non-termination set wnt{Rf) 
of each disjunct Rf , by applying Algorithm [H The weakest non-termination precondition 
of the program is then overapproximated by the pre-image of wnt{Rf) U . . . U wnt{R^) 
via its the reachability relation, i.e., Reach~^ {wnt{Rf) U . . . U wnt{R'^)), or equivalently, 
\JlL^Reach-^{wnt{Rf)). 

The technique presented in this section can be further applied to programs with (re- 
cursive) procedure calls, by using the program transformation described in [3], that turns 
programs with recursive procedure calls into programs without procedures, with equivalent 
non-termination preconditions. The main ingredient of this technique is the summarization 
of procedures, i.e., computing an overapproximation of the relation between the values of 
the input parameters and the values returned by the procedure. 

6.1. Motivation. Consider the non-deterministic integer program in Figure |8]^ a). If x = 
initially, the program terminates immediately. It is easy to see that when a; < initially, 
the program can loop infinitely between lines 1 and 4. If x > initially, the program 
terminates, since the tuple of valuations of {x, y) decreases (in the lexicographic order) with 
each iteration, and the loop can be fired only for values x > 0. 

We view programs as control flow graphs (CFG) labeled with arithmetic formulae. 
Figure [Hllb) depicts the control flow graph of the program in Figure [8]^a). 

The mechanics of our algorithm computing the weakest non-termination set applied 
on the above example is as follows. First, we collapse the loops in Figure Et^b) into self- 
loops, obtaining a reduced control flow graph in Figure[8]^c). Then, we compute a transition 
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int x,y; 

1. while (x != 0) { 

2. if (*) { 

3. y = x; 

4. X = x-1; 

5. } else if (y>0) { 

6. y = y-l; 
} 

} 

(a) 



x' = X — 1 
x^O 

y' = y-^ 
y >o 



true 



true 




X 7^ A 
y' = xAx' = x — 1 

x^OAy>0 A 
y' = y — lAx' = x 



(b) (c) 
Figure 8. Example Program and its Control Flow Graph 



invariant TInv of the program TInv = iii V i?2 V i?3 V ii4 V i?5, where: 



_L 

X < 



-1 



x' >1 A y' >0 A x' <x-l A y' <x' 
X < —I A y' < X A y' = x' + 1 
y' > 1 A y' <x A y' = x' + 1 
x>l A x' >l A x' = x A y' >0 A y' <y -1 
X < -1 A x' = X A x' < -1 A y' >0 A y' <y -1 

Next, we compute the weakest non-termination set of each disjunct of TInv, obtaining 
wnt(i?i), . . . , wnt(i?5) defined above. The disjunction of these non-termination set defines 
a set of configurations from which a non-terminating run that starts in li exists: 

M = wnt(i?i) V wnt(i?2) V wnt(i?3) V wnt(i?4) V wnt(i?5) = x < -I 



Ri 

R2 
R3 
i?4 
R5 



wnt(i?i) 

wnt(ii2) 
wnt(iZ3) 
wnt(i?4) 
wnt(i?5) 



6.2. Syntax and Semantics. In the following, we abstract from specific programming 
language constructs and assume that programs are represented by control flow graphs (CFG) 
whose edges are labeled by Presburger arithmetic formulae defining relations. Formally, an 
integer program is a tuple P = (x, Q, ^j. A), where: 

• x is the set of variables of P 

• Q are the control states of P 

• A is a set of transition rules of the form q ■ — > q', where q,q' & Q are the source 

and destination state, and -R(x, x') defines a Presburger arithmetic relation 

• qi is the initial control state of P 

An example of an integer program is given in Figure [8]^a). 

A configuration of a program P = (x, Q, q^j, A) is a pair (g, i/), where g € Q is a control 
state and 1/ & is a valuation of the variables. Given two configurations {q, v) and (g', v') 
of a program P, the configuration {q',i^') is said to be an immediate successor of (q,!^) 

if and only if g — ^ g' € A and v, v' \= R. A run of length k of the program P from g 
to q' is a finite sequence (go,i^o) ~^ ■ ■ ■ ^ {Qk,'^k), such that g = go, g' = qk, 

and (gi+i, ^'i-i-i) is an immediate successor of (g,z^), for all < i < k. An infinite run of 
a program P from a control state g is an infinite sequence (go, vq) ~^ (^ii J^i) — >• . . . such 
that g = go and (g^+i, i^i+i) is an immediate successor of (g, v) for all i > 0. We define the 
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transitive relation of the program as: 

=^{(i^>'^') I (9, i^) (^', is a run of P of length A; > 1} 

and the reflexive and transitive relation {Pj* as the extension of |-P]^ which considers 
runs of length zero as well. The weakest non-termination set of a program P denoted as 
[P]^"'*(g), is the set of configurations {q, u) from which an infinite run is possible. The set 
of configurations with control state q, that are reachable from the initial state qi, can be 
defined as the post-image of via lP}*{qi,q)- With this notation, the transition invariant 
|pj T/ni) ^£ ^ program V is defined for each q,q' £ Q as the restriction of the transitive 
relation to the set of reachable configurations: 

lPr''\q,q') =^ lPj{q,q') A ([Pf g)) (Z^) 



6.3. Computing Termination Sets. The following theorem is used to compute (over- 
approximations of) weakest non-termination preconditions from (overapproximations of) 
transition invariants. 

Theorem 9. Let P = (x, Q, q^, A) be a program, and let there be relations Rq^k, 1 < ^ < Pq, 
for some Pq > 1, such that [P|^^"'"((7, q) C [J^'L^ Rq,k- Let 

qeQ \ \k=l I ) 

Then [Pf"* C M. Moreover, if [Pf q) = {jUi R<i,k, then [Pr"*(<7i) = M. 

Proof. First suppose that lP}^^"'^{q,q) = Ufcli -^9,fc q £ Q- 

" " Let pi = {qi,i'o){<li,^i){Q2,t^2) ■ ■ ■ be an infinite run of P. Clearly, there exist 
infinitely many integers 1 < ii < £2 < ^3 < ■ ■ ■ such that q = qi^ = qi2 = Qi^ = ■ ■ ■ for 
some q £ Q. We construct a infinite meta-run p2 = {qi, 1^0) {q, i^ii){q, vt-^ ■ ■ ■ ■ It follows from 
definition of |'P|'^^™ that 

{W^.^i,^,) G \Pr''\q.q) = lVr''''{q,q) 
for all j > 1. We next rename valuations in p2 to obtain p2 = {qi, P'o){q, P'i){q, ^-2) ■ ■ ■ ■ 

Let us assume that lP}^^"''"{q,q) Vfc=i Rk ^ot some p > 1. By definition of {P}^^"''" , 
it follows that for each i > k > 1, there exists 1 < j < p such that (pk^l^e) £ Pj- 
Consequently, we can construct a function / : {{k,i) | £ > /c > 1} — > {Pi, . . . , Rp} such 
that {pk,R) G f{k,i) for ah £ > A; > 1. 

Let ~ be the kernel of / and thus, {k,£) ~ {k',i') if and only if f{k,£) = f{k',i'). 
Clearly, ~ is an equivalence relation with finite index, since the range of / is finite. Conse- 
quently, by Ramsey theorem [30] , there exists an infinite sequence of integers 1 < ki < k2 < 
< . . . and an equivalence class [{m,n)]^ for some m,n such that (fe, fej+i) ~ {m,n) for 
all i > 1. Thus, there exists 1 < j < p such that f{k, ki^i) = Rj for all i > 1. Consequently, 
lJ'kilJ-k2 ■ ■ ■ is an infinite run of Rj and hence, pki ^ wnt(Pj). Since {pQ,Pki) ^ 
by definition of |P]*, if follows that 

i^O = /xo€ ([Pr(g„<7))"'(wnt(P,)) C ([Pf g))"' ((} wnt{Rk)^ CM 
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Thus, [Pr"* C M. 

" -4= " Clearly, UfcLi ^^^(-^g.fc) the set of initial valuations of non-terminating runs 

that start in g € Q, by definition of [P]"^^™. Consequently, ([P|*(gi, (Ufcli ^'^^{Rq,k)) 

is the set of valuations in qi from which a non-terminating run that loops infinitely at q 
exists. Consequently, 

q£Q \ \fc=l / / 

is the set of valuations in q^ from which a non-terminating run that loops in some q Q 
exists and thus, M C [P]'"'^*. 

Next, observe that if {Pf^'^^iq, q) C IJ^l^ R^^k for all g G Q, the " " direction of the 
above proof still holds. □ 

Next, we present an algorithm that computes an over-approximation of IP]"""*. We first 
compute an over-approximation of |P] ™ . To this end, we adapt the procedure summary 
algorithm from |1U] . Then, an overapproximation of [P]"'"* can be computed by applying 
Theorem [9l Algorithm [2] achieves this by executing lines 4 and 5 for each control state 
q & Q. Note that we can apply Algorithm [1] from Section 14.51 to compute the weakest 
non-termination set wnt(Pj) at line 5. 

Algorithm 2 Over- approximating the Weakest Non-termination Precondition of a Program 

input A procedure P = {x,Q,qi, A) 
output An over-approximation of [P]"'"* 
1: function WNT_APPROX(P = (x, Q, qi,A)) 

for each g G Q do 



let lPf^™{q, g) ^ (Pi V • • • V Rp) for some Ri, . . . , Rp, p > 1 



5: M^MW {iPTiQi, Q)} ^\ yU WNT(P,] 

6: return J\f 



6.4. Flat Integer Programs. In this section, we define a class of integer programs for 
which our method computes precisely the weakest non-termination preconditions, as for- 
mulae in Presburger arithmetic. As a consequence, the universal termination problem is 
decidable for this class. A flat integer program is a program where: 

(1) each control state belongs to at most one cycle in the control flow graph (CFG) 

(2) for each cycle qi -— q2 . . . qi in the CFG, the relation (Pi o . . . o P„) is 

either octagonal or a finite monoid affine relation 

Let P be a flat integer program. It is known that the reachability problem for flat integer 
programs is decidable [HI [231 IH] and that [P] * can be effectively computed as a Presburger 
formula using e.g. a method from [lOj . Consider Algorithm [3| that uses an auxiliary pro- 
cedure LoopLabel(P, q), which returns the composition of relations that label the unique 
cycle on which the control state q appears or empty relation if there is no such cycle. Let 
q & Q and let Lq = LoopLabel(P, g). Since Lq is either an octagonal or finite monoid 
affine relation, the weakest non-termination set wnt{Lq) is Presburger definable, as proved 
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in Sections m and [5j The weakest non-termination precondition can be computed by observ- 
ing that, if the program has an infinite run, then this run will get stuck in some loop labeled 
Lq. Consequently, Algorithm [3] correctly returns a Presburger formula defining [P]"""*. The 
following theorem summarizes these observations. 

Theorem 10. The weakest non-termination precondition of a flat integer programs is 
effectively computable and Presburger definable. Consequently, the termination problem is 
decidable for flat integer programs. 



Algorithm 3 Weakest Non-termination Precondition for Flat Integer Programs 

input A flat integer program P = (x, Q, gj. A) 
output , the weakest non-termination set of P 

1: function ProgramSummary(P = (x, A)) 

2: M ^% 

3: for each g E Q do 

4: WNT(LoopLabel(P, q)) 

5: M^My^{lPnqi,q)y\A) 
6: return M 



7. Experiments 

We have validated the methods described in this paper by automatically verifying termina- 
tion of all the octagonal running examples, and of several integer programs synthesized from 
(i) programs with lists obtained using the translation scheme from [6] which generates an 
integer program from a program manipulating dynamically allocated single-selector linked 
lists, (ii) VHDL designs such as hardware counter and synchronous LIFO [31], (iii) small 
C programs with challenging loops and (iv) small recursive Java programs from [1] trans- 
lated to non-recursive programs using the translation scheme from [3]. 

We have computed the weakest non-termination sets reported in Table [U using the 
methods from Section [4] and [6] which we implemented in the Plata tool [21j . By comput- 
ing octagonal abstractions of disjuncts of a transition invariant, we have verified universal 
termination of the ListCounter and ListReversal programs. Next, we have verified 
the Counter and SynLifo programs by computing the precise transition invariant and 
then the weakest non-termination set, which was empty in both cases. Thus, these models 
have infinite runs for any input values, which is to be expected as they encode the behavior 
of synchronous reactive circuits. Similarly, we have computed the weakest non-termination 
preconditions for numerical programs ANUBHAV, COUSOT, LEQ, and PLUS. 

Second, we have compared (Table [2]) our method for termination of polynomially 
bounded linear afhne loops from Section [5] with the examples given in [15], and found 
the same termination preconditions as they do, with one exception, in which we can prove 
universal termination in integer input values (row 3 of Table [2|) . 
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Table 1. Weakest Non-termination Sets for Integer Programs. 



Model 


Size 

l|x|| 101 ||A|| 


Time [s] 


Weakest 
Non-termination Set 


(i) Examples from L2CA "6 




listcounter 


4 31 35 


1.2 


false 


listreversal 


7 97 107 


32.6 


false 


(ii) VHDL 


models from 




counter 


2 6 13 


0.8 


true 


register 


2 10 49 


1.4 


true 


synlifo 


3 43 1006 


1016.4 


true 


(iii) Examples from 22 


anubhav 


29 20 25 


3.2 


i < 


cousot 


29 31 34 


4.0 


true 


(iii) Examples from [T] 


leq 


3 5 6 


0.6 


false 


leq.modif 


3 5 6 


2.4 


X < Ay < 


plus 


3 7 9 


0.7 


false 


plus.modif 


3 7 9 


0.9 


X <OVy <0 



Table 2. Termination preconditions for several program fragments from [15] 



Program 


Cook et al. [15] 


Linear Affine Loops 


if (Ivar > 0) 

while (Ivar < 2^'^) 

Ivar = Ivar <;< 1; 


Ivar > V Ivar < V Ivar > 2^° 


-^{lvar=0)Vlvar>2^^ 


while (x > N) 

X = -2*x + 10; 


x>5Vx+y>0 


X ^ ^ true 


/ /& requires n > 200 
X = 0; 
while (1) 

if (x < n) { x=x-|-y; 
if (x > 200) break; } 


y>0 


y>0 



8. Conclusion 

We have presented several methods for deciding conditional termination of several classes 
of program loops manipulating integer variables. The universal termination problem has 
been found to be decidable for octagonal relations and linear affine loops with the finite 
monoid property. For the class of polynomially bounded linear affine loops, we give sufficient 
termination conditions. Further, we extend the computation of weakest non-termination 
preconditions from simple loops to general programs, and define a class of programs, called 
flat, for which this computation yields precise results. Finally, we have implemented our 
method in the Flata tool [2Tj and performed a number of preliminary experiments. 
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